Navigate

CCI-003187

CCI-003187 Definition

The organization requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service perform a manual code review of specific code defined in SA-11 (4), CCI 3188 using processes, procedures, and/or techniques defined in SA-11 (4), CCI 3189.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform a manual code review of specific code defined in SA-11 (4), CCI 3188 using processes, procedures, and/or techniques defined in SA-11 (4), CCI 3189.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan must require developer to perform a manual code review of organization-defined specific code using organization defined processes, procedures, and/or techniques.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003187.

Control	Description
SA-11 (4)	The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques].