CCI-003381

The organization defines additional personnel screening criteria that must be satisfied by the developer of an organization-defined information system, system component, or information system service.

Implementation Guidance

The organization being inspected/assessed defines and documents additional personnel screening criteria that must be satisfied by the developer of organization-defined information system, system component, or information system service. DoD has determined the additional personnel screening criteria is not appropriate to define at the Enterprise level. The organization should ensure that the developer is trustworthy by performing a review of the developer that may include: 1. Organization and process certifications; 2. Security policies, procedures, and activities across the lifecycle; 3. Supply chain and how suppliers select/manage their suppliers/service providers; 4. Financials to determine if the supplier is financially stable; 5. Foreign Ownership, Control, and Influence; 6. Past performance and vulnerabilities; 7. Business relationships; 8. Maturity of business processes; and 9. Developer screening practices that may include:: a. Evaluating and vetting key personnel through security reviews (including clearance, satisfactory background checks, citizenship, and nationality) by acquirers or suppliers in any capacity (full-time employee, part-time employee, consultant, contractor, subcontractor, vendor, agent, etc); b. Reevaluating personnel through security reviews and assessments on a periodic basis or upon occurrence of specific significant events.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented additional personnel screening criteria to ensure the organization being inspected/assessed defines additional personnel screening criteria that must be satisfied by the developer of organization-defined information system, system component, or information system service. DoD has determined the additional personnel screening criteria is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for defining additional personnel screening criteria that must be satisfied by the developers of organization-defined information system, system component, or information system service

The controls below (if any) were marked by NIST as being related to CCI-003381.