CCI-003189

The organization defines the processes, procedures, and/or techniques to be used by the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code.

Implementation Guidance

The organization being inspected/assessed requires in contracts/agreements that the developer define and document the processes, procedures, and/or techniques to be used to perform a manual code review of organization-defined specific code. Manual code reviews identify weaknesses which are generally unavailable to more automated analytic tools and techniques such as static or dynamic analysis. Manual code reviews should be performed in conjunction with automated testing, such as static or dynamic analysis, to provide greater levels of analysis. DoD has determined the processes, procedures, and/or techniques are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented processes, procedures, and/or techniques to ensure the organization being inspected/assessed defines the processes, procedures, and/or techniques to be used by the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code. DoD has determined the processes, procedures, and/or techniques are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan must require developer to define the processes, procedures, and/or techniques to be used to perform a manual code review of organization-defined specific code.

The controls below (if any) were marked by NIST as being related to CCI-003189.