CCI-003185

Defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing and evaluation.

Implementation Guidance

Determine if: - an independent agent is required to satisfy [SA-11(03)_ODP; independence criteria to be satisfied by an independent agent are defined] to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation. - an independent agent is required to satisfy [SA-11(03)_ODP; independence criteria to be satisfied by an independent agent are defined] to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; independent verification and validation reports; security and privacy assessment plans; results of security and privacy assessments for the system, system component, or system service; system security plan; privacy plan; privacy program plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent]. Test: [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation].

The controls below (if any) were marked by NIST as being related to CCI-003185.