CCI-003353

The organization defines the information systems, system components, or devices to inspect at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.

Implementation Guidance

The organization being inspected/assessed defines and documents the information systems, system components, or devices to inspect at random, at organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering. DoD has determined the information systems, system components, or devices are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented information systems, system components, or devices to ensure the organization being inspected/assessed defines the information systems, system components, or devices to inspect at random, at organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering. DoD has determined the information systems, system components, or devices are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for defining the information systems, system components, or devices to inspect at random, at organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.

The controls below (if any) were marked by NIST as being related to CCI-003353.