CCI-004830

Defines the frequency for delivering the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis [SA-15(07)_ODP[01]; frequency at which to conduct vulnerability analysis is defined] to [SA-15(07)_ODP[03]; personnel or roles to whom the outputs of tools and results of the analysis are to be delivered is/are defined].

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; vulnerability analysis tools and associated documentation; risk assessment reports; vulnerability analysis results; vulnerability mitigation reports; risk mitigation strategy documentation; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel performing automated vulnerability analysis on the system]. Test: [SELECT FROM: Organizational processes for vulnerability analysis of systems, system components, or system services under development; mechanisms supporting and/or implementing vulnerability analysis of systems, system components, or system services under development].

The controls below (if any) were marked by NIST as being related to CCI-004830.