CCI-003292

The organization defines the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

Implementation Guidance

The organization being inspected/assessed defines and documents the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms. DoD has determined the training is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented training to ensure the organization being inspected/assessed defines the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms. DoD has determined the training is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan that defines the training developers of the information system, system component or information system service are required to provide on the use and operation of the implemented security functions, controls and/or mechanisms.

The controls below (if any) were marked by NIST as being related to CCI-003292.