CCI-003195

Defines the depth of testing and evaluation to which the developer of the system, system component, or system service is required to verify that the scope of security testing and evaluation provides complete coverage of the required controls.

Implementation Guidance

Determine if: - the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at [SA-11(07)_ODP[01]; the breadth of testing and evaluation of required controls is defined]. - the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at [SA-11(07)_ODP[02]; the depth of testing and evaluation of required controls is defined].

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer security testing and evaluation plans; system developer security testing and evaluation results; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent]. Test: [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation].

The controls below (if any) were marked by NIST as being related to CCI-003195.