CCI-003290

Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.

Implementation Guidance

Determine if the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system or system component; evidence of archived system or component; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with privacy responsibilities].

The controls below (if any) were marked by NIST as being related to CCI-003290.