CCI-003215

The organization defines the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing.

Implementation Guidance

The organization being inspected/assessed defines and documents the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing. Penetration testing should be performed throughout the lifecycle on physical and logical systems, elements, and processes including: 1. Hardware, software, and firmware development processes; 2. Shipping/handling procedures; 3. Personnel and physical security programs; 4. Configuration management tools/measures to maintain provenance; and 5. Any other programs, processes, or procedures associated with the production/distribution of supply chain elements. The elements, processes, and actors must be defined IAW DoDI 5200.44. DoD has determined the elements, processes, and actions are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented supply chain elements, processes, and actors to ensure the organization being inspected/assessed defines the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing IAW DoDI 5200.44. DoD has determined the elements, processes, and actions are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for defining organizational or independent third party analysis, organizational or independent penetration testing or organization-defined supply chain elements, processes and actors associated with the information system, system components or information system service.

The controls below (if any) were marked by NIST as being related to CCI-003215.