CCI-004844

Require the developer of the system, system component, or system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.

Implementation Guidance

Determine if: - the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented. - the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; enterprise architecture policy; enterprise architecture documentation; procedures addressing developer security and privacy architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system configuration settings and associated documentation; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer].

The controls below (if any) were marked by NIST as being related to CCI-004844.