CCI-003387

Implementation Guidance

The organization being inspected/assessed re-implements or custom develops critical information system components defined in SA-20, CCI 3386.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines hardware and software lists to ensure that no commercial off-the-shelf components are used as critical information system components defined in SA-20, CCI 3386.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for re-implementing or custom developing organization-defined critical information system components.