Navigate

CCI-003241

CCI-003241 Definition

The organization reviews the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined security requirements.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to review the development process before first use and annually thereafter to determine if the development process selected and employed can satisfy the security requirements defined in SA-15, CCI 3246. Reviews of development processes can include, for example, the use of capability maturity model integration (CMMI) to determine the potential effectiveness of such processes. The organization must maintain a record of reviews. DoD has defined the frequency as before first use and annually thereafter.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews the development process before first use and annually thereafter to determine if the development process selected and employed can satisfy the security requirements defined in SA-15, CCI 3246. DoD has defined the frequency as before first use and annually thereafter.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for reviewing the organization-defined frequency to ensure the development process selected and employed can satisfy organization-defined security requirements.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003241.

Control	Description
SA-15	The organization: SA-15a.: Requires the developer of the information system, system component, or information system service to follow a documented development process that: SA-15a.1.: Explicitly addresses security requirements; SA-15a.2.: Identifies the standards and tools used in the development process; SA-15a.3.: Documents the specific tool options and tool configurations used in the development process; and SA-15a.4.: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and SA-15b.: Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].

Control

Description

SA-15

The organization:

SA-15a.: Requires the developer of the information system, system component, or information system service to follow a documented development process that:
- SA-15a.1.: Explicitly addresses security requirements;
- SA-15a.2.: Identifies the standards and tools used in the development process;
- SA-15a.3.: Documents the specific tool options and tool configurations used in the development process; and
- SA-15a.4.: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

SA-15b.: Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].