CCI-005117

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

Implementation Guidance

Determine if: - the system, system component, or system service is assessed prior to selection. - the system, system component, or system service is assessed prior to acceptance. - the system, system component, or system service is assessed prior to modification. - the system, system component, or system service is assessed prior to update.

Validation Procedures

Examine: [SELECT FROM: System security plan; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; security test and evaluation results; vulnerability assessment results; penetration testing results; organizational risk assessment results; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities]. Test: [SELECT FROM: Organizational processes for conducting assessments prior to selection, acceptance, or update; mechanisms supporting and/or implementing the conducting of assessments prior to selection, acceptance, or update].

The controls below (if any) were marked by NIST as being related to CCI-005117.