CCI-003384

The organization defines the information system, system component, or information system service which requires the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria.

Implementation Guidance

The organization being inspected/assessed defines and documents the information system, system component, or information system service which require the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria. DoD has determined the information system, system component, or information system service is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented information system, system component, or information system service to ensure the organization being inspected/assessed defines the information system, system component, or information system service which require the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria. DoD has determined the information system, system component, or information system service is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan that defines the information system, system component, or information system service which require the information system developers to have appropriate access authorizations and satisfy additional personnel screening criteria.

The controls below (if any) were marked by NIST as being related to CCI-003384.