CCI-003214
CCI-003214 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed documents and implements processes to employ organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of supply chain elements, processes and actors defined in SA-12 (11), CCI 3215 associated with the information system, system component, or information system service. Penetration testing/analysis should be performed: 1. On potential system elements before accepting the system; 2. As a realistic simulation of the active adversary’s known adversary tactics, techniques, procedures (TTPs), and tools; and 3. Throughout the lifecycle on physical and logical systems, elements, and processes.
Validation Procedures
The organization conducting the inspection/assessment obtains and examines the documented processes to ensure the organization being inspected/assessed employs organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of supply chain elements, processes and actors defined in SA-12 (11), CCI 3215 associated with the information system, system component, or information system service.
Compelling Evidence
1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for employing organizational or independent third party analysis, organizational or independent penetration testing or organization-defined supply chain elements, processes and actors associated with the information system, system components or information system service.