CCI-003188

The organization defines the specific code for which the developer of the information system, system component, or information system service is required to perform a manual code review using organization-defined process, procedures, and/or techniques.

Implementation Guidance

The organization being inspected/assessed defines and documents the specific code that requires the developer of the information system, system component, or information system service to perform a manual code review against using organization-defined process, procedures, and/or techniques. The defined code shall include: 1. random samples; and 2. critical software and firmware components of information systems. DoD has determined the specific code is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented specific code to ensure the organization being inspected/assessed defines the specific code that requires the developer of the information system, system component, or information system service to perform a manual code review against using organization-defined process, procedures, and/or techniques. DoD has determined the specific code is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan must define the specific code that the developer will use to perform a manual code review of organization-defined specific code using organization defined processes, procedures, and/or techniques.

The controls below (if any) were marked by NIST as being related to CCI-003188.