CCI-004807

Implementation Guidance

Determine if: - the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets [SA-11(02)_ODP[05]; acceptance criteria to be met by produced evidence for threat modeling are defined]. - the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets [SA-11(02)_ODP[05]; acceptance criteria to be met by produced evidence for threat modeling are defined]. - the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets [SA-11(02)_ODP[06]; acceptance criteria to be met by produced evidence for vulnerability analyses are defined]. - the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets [SA-11(02)_ODP[06]; acceptance criteria to be met by produced evidence for vulnerability analyses are defined].

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer security test plans; records of developer security testing results for the system, system component, or system service; vulnerability scanning results; system risk assessment reports; threat and vulnerability analysis reports; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation].