CCI-003386

Implementation Guidance

Determine if [SA-20_ODP; critical system components to be reimplemented or custom-developed are defined] are reimplemented or custom-developed.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management plan; system and services acquisition policy; procedures addressing the customized development of critical system components; system design documentation; system configuration settings and associated documentation; system development life cycle documentation addressing the custom development of critical system components; configuration management records; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with responsibility for the reimplementation or customized development of critical system components]. Test: [SELECT FROM: Organizational processes for the reimplementation or customized development of critical system components; mechanisms supporting and/or implementing the reimplementation or customized development of critical system components].