CCI-003195

The organization defines the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls.

Implementation Guidance

The organization being inspected/assessed defines and documents the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls. The developer can accomplish scope verification through a variety of analytic techniques that provide an increasing level of assurance corresponding to the degree of formality of the analysis. High levels of assurance can be provided by the use of formal modeling and analysis techniques including theorem provers, model checkers, and correlation between control implementation and corresponding test cases. DoD has determined the depth of testing/evaluation is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented depth of testing/evaluation to ensure the organization being inspected/assessed defines the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls. DoD has determined the depth of testing/evaluation is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan showing scope of security testing/evaluation provides complete coverage of required security controls.

The controls below (if any) were marked by NIST as being related to CCI-003195.