CCI-003191

The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform penetration testing.

Implementation Guidance

The organization being inspected/assessed defines and documents the breadth/depth the developer of the information system, system component, or information system service is required to perform penetration testing. DoD has determined the breadth/depth are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented breadth/depth to ensure the organization being inspected/assessed defines the breadth/depth the developer of the information system, system component, or information system service is required to perform penetration testing. DoD has determined the constraints are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan must define the breadth/depth the developer is required to perform penetration testing.

The controls below (if any) were marked by NIST as being related to CCI-003191.