CCI-003272
CCI-003272 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
Determine if the developer of the system, system component, or system service is required to reduce attack surfaces to [SA-15(05)_ODP; thresholds to which attack surfaces are to be reduced are defined].
Validation Procedures
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing development process, standards, and tools; procedures addressing attack surface reduction; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system or system service; system design documentation; network diagram; system configuration settings and associated documentation establishing/enforcing organization-defined thresholds for reducing attack surfaces; list of restricted ports, protocols, functions, and services; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for attack surface reduction thresholds; system developer]. Test: [SELECT FROM: Organizational processes for defining attack surface reduction thresholds].