CCI-003381

Defines additional personnel screening criteria that must be satisfied by the developer of an organization-defined system, system component, or system service.

Implementation Guidance

Determine if the developer of [SA-21_ODP[01]; the system, systems component, or system service that the developer has access to is/are defined] is required to satisfy [SA-21_ODP[03]; additional personnel screening criteria for the developer are defined].

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; personnel security policy and procedures; procedures addressing personnel screening; system design documentation; acquisition documentation; service level agreements; acquisition contracts for developer services; system configuration settings and associated documentation; list of appropriate access authorizations required by the developers of the system; personnel screening criteria and associated documentation; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for developer screening]. Test: [SELECT FROM: Organizational processes for developer screening; mechanisms supporting developer screening].

The controls below (if any) were marked by NIST as being related to CCI-003381.