CCI-003249

The organization defines the frequency on which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics.

Implementation Guidance

The organization being inspected/assessed defines and documents the frequency that is required by the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics. DoD has determined the frequency is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency that is required by the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics. DoD has determined the frequency is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan defining the frequency requiring developers of the information system, system component or information system service to provide evidence of meeting the quality metrics.

The controls below (if any) were marked by NIST as being related to CCI-003249.