Navigate

CCI-003385

CCI-003385 Definition

The organization requires that the developer of an organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed requires within contracts that the developer of information system, system component, or information system service defined in SA-21, CCI 3384 have appropriate access authorizations as determined by assigned official government duties defined in SA-21, CCI 3383.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of information system, system component, or information system service defined in SA-21, CCI 3384 have appropriate access authorizations as determined by assigned official government duties defined in SA-21, CCI 3383.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan that requires the developers of organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003385.

Control	Description
SA-21	The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: SA-21a.: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and SA-21b.: Satisfy [Assignment: organization-defined additional personnel screening criteria].