CCI-004832

Require the developer of the system, system component, or system service to test an incident response plan.

Implementation Guidance

Determine if: - the developer of the system, system component, or system service is required to provide an incident response plan. - the developer of the system, system component, or system service is required to implement an incident response plan. - the developer of the system, system component, or system service is required to test an incident response plan.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing incident response, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system components or services; acquisition documentation; solicitation documentation; service level agreements; developer incident response plan; system security plan; privacy plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with supply chain risk management responsibilities].

The controls below (if any) were marked by NIST as being related to CCI-004832.