CCI-003274

Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; quality goals and metrics for improving the system development process; security assessments; quality control reviews of system development process; plans of action and milestones for improving the system development process; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer].

The controls below (if any) were marked by NIST as being related to CCI-003274.