Navigate

CCI-003194

CCI-003194 Definition

The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at an organization-defined depth of testing/evaluation.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service verify that the scope of security testing/evaluation provides complete coverage of required security controls at the depth of testing/evaluation defined in SA-11 (7), CCI 3195.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service verify that the scope of security testing/evaluation provides complete coverage of required security controls at the depth of testing/evaluation defined in SA-11 (7), CCI 3195.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan showing scope of security testing/evaluation provides complete coverage of required security controls.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003194.

Control	Description
SA-11 (7)	The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation].