CCI-000667
CCI-000667 Definition
Status | |
Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/. This CCI does not apply to COTS products. The organization managing the acquisition/development of the information system must employ the procedures identified in SA-8, CCI, 000666 during the implementation of the information system. The system owner must maintain an audit trail of the activities conducted IAW SA-8, CCI 000666. An example of artifacts is CCB minutes, code review results, and source code analysis results.
Validation Procedures
The organization conducting the inspection/assessment obtains and examines the audit trail artifacts that were created during the implementation of SA-8, CCI 000666 to ensure that the organization being inspected/assessed applies information system security engineering principles in the implementation of the information system and that changes are made IAW the configuration management plan (CM-9, CCI 001790).
Compelling Evidence
1.) System security plan (SSP). 2.) Design documentation must include system requirements documentation and it must apply information system security principles in implementation . 3.) Audit trail regarding change management could be CCB minutes, code review meetings, code testing reports, etc. IAW CCI-001790/CM-9.