CCI-000623

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system component, or system services; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Organizational processes for determining system security functional requirements; organizational processes for developing acquisition contracts; mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts].

The controls below (if any) were marked by NIST as being related to CCI-000623.