CCI-003275

Require the developer of the system, system component, or system services, on an organization-defined frequency, to perform an automated vulnerability analysis using organization-defined tools.

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to perform automated vulnerability analysis [SA-15(07)_ODP[01]; frequency at which to conduct vulnerability analysis is defined] using [SA-15(07)_ODP[02]; tools used to perform automated vulnerability analysis are defined].

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; vulnerability analysis tools and associated documentation; risk assessment reports; vulnerability analysis results; vulnerability mitigation reports; risk mitigation strategy documentation; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel performing automated vulnerability analysis on the system]. Test: [SELECT FROM: Organizational processes for vulnerability analysis of systems, system components, or system services under development; mechanisms supporting and/or implementing vulnerability analysis of systems, system components, or system services under development].

The controls below (if any) were marked by NIST as being related to CCI-003275.