CCI-003176

The organization requires the developer of the information system, system component, or information system service to produce the results of the security testing/evaluation.

Implementation Guidance

The organization being inspected/assessed requires the developer to produce and provide results of the security testing/evaluation.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce the results of the security testing/evaluation.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation must require developer results of security testing/evaluation.

The controls below (if any) were marked by NIST as being related to CCI-003176.