CCI-003190

The organization requires the developer of the information system, system component, or information system service to perform penetration testing at an organization-defined breadth/depth and with organization-defined constraints.

Implementation Guidance

The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service perform penetration testing at a breadth/depth defined in SA-11 (5), CCI 3191 and with constraints defined in SA-11 (5), CCI 3192.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform penetration testing at a breadth/depth defined in SA-11 (5), CCI 3191 and with constraints defined in SA-11 (5), CCI 3192.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan must require developer to perform penetration testing at organization-defined breadth/depth and with organization-defined constraints defined in SA-11 (5), CCI 3191 and with constraints defined in SA-11 (5), CCI 3192.

The controls below (if any) were marked by NIST as being related to CCI-003190.