CCI-003203

The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

Implementation Guidance

The organization being inspected/assessed or an independent, third-party entity must perform and document assessments that may include static analyses, dynamic analyses, simulations, white, gray, and black box testing, fuzz testing, penetration testing, and ensure that components or services are genuine (e.g., using tags, cryptographic hash verifications, or digital signatures). Where possible, testing should employ threat profiles based on the threats that the system is likely to face in the operational environment.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines documented assessment(s) that were conducted by the organization prior to selection, acceptance, or update to ensure that the organization being inspected/assessed is assessing information systems, system components, or information system services prior to selection, acceptance, or update.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for assessment of the information system, system components or information systems services prior to selection, acceptance or updates.

The controls below (if any) were marked by NIST as being related to CCI-003203.