Navigate

CCI-003318

CCI-003318 Definition

The organization requires the developer of the information system, system component, or information system service to describe the security-relevant hardware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan describing the security-relevant hardware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003318.

Control	Description
SA-17 (3)	The organization requires the developer of the information system, system component, or information system service to: SA-17 (3)(a): Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; SA-17 (3)(b): Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; SA-17 (3)(c): Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; SA-17 (3)(d): Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and SA-17 (3)(e): Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

Control

Description

SA-17 (3)

The organization requires the developer of the information system, system component, or information system service to:

SA-17 (3)(a): Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;

SA-17 (3)(b): Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;

SA-17 (3)(c): Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;

SA-17 (3)(d): Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and

SA-17 (3)(e): Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.