CCI-003183

The organization requires an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan.

Implementation Guidance

The organization being inspected/assessed requires within contracts/agreements that an independent agent satisfying independence criteria defined in SA-11 (3), CCI 3185 verify the correct implementation of the developer security assessment plan.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that an independent agent satisfying independence criteria defined in SA-11 (3), CCI 3185 verify the correct implementation of the developer security assessment plan.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation must require an independent agent to verify the correct implementation of the developer-created Security Assessment Plan.

The controls below (if any) were marked by NIST as being related to CCI-003183.