Navigate

CCI-003233

CCI-003233 Definition

Require the developer of the system, system component, or system service to follow a documented development process.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing development process, standards, and tools; procedures addressing the integration of security and privacy requirements during the development process; solicitation documentation; acquisition documentation; critical component inventory documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer documentation listing tool options/configuration guides; configuration management policy; configuration management records; documentation of development process reviews using maturity models; change control records; configuration control records; documented reviews of the development process, standards, tools, and tool options/configurations; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003233.

Control	Description
SA-15	a: Require the developer of the system, system component, or system service to follow a documented development process that: 1: Explicitly addresses security and privacy requirements; 2: Identifies the standards and tools used in the development process; 3: Documents the specific tool options and tool configurations used in the development process; and 4: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b: Review the development process, standards, tools, tool options, and tool configurations [frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [one of ].

Control

Description

SA-15

a: Require the developer of the system, system component, or system service to follow a documented development process that:
- 1: Explicitly addresses security and privacy requirements;
- 2: Identifies the standards and tools used in the development process;
- 3: Documents the specific tool options and tool configurations used in the development process; and
- 4: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

b: Review the development process, standards, tools, tool options, and tool configurations [frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [one of ].