CCI-004308

Defines the controls that are allocated to the organization-defined locations and architectural layers.

Implementation Guidance

Determine if [PL-08(02)_ODP[01]; controls to be allocated are defined] that are allocated to [PL-08(02)_ODP[02]; locations and architectural layers are defined] are required to be obtained from different suppliers.

Validation Procedures

Examine: [SELECT FROM: Security and privacy planning policy; procedures addressing information security and privacy architecture development; enterprise architecture documentation; information security and privacy architecture documentation; system security plan; privacy plan; security and privacy CONOPS for the system; IT acquisitions policy; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with information security and privacy architecture development responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for obtaining information security and privacy safeguards from different suppliers].

The controls below (if any) were marked by NIST as being related to CCI-004308.