CCI-000668

The organization applies information system security engineering principles in the modification of the information system.

Implementation Guidance

The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/. This CCI does not apply to COTS products. The organization managing the acquisition/development of the information system must employ the procedures identified in SA-8, CCI, 000666 during the modification of the information system. The system owner must maintain an audit trail of the activities conducted IAW SA-8, CCI 000666. An example of artifacts is CCB minutes, code review results, and source code analysis results.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail artifacts that were created during the modification of SA-8, CCI 000666 to ensure that the organization being inspected/assessed applies information system security engineering principles in the modification of the information system and that changes are made IAW the configuration management plan (CM-9, CCI 001790).

Compelling Evidence

1.) System security plan (SSP). 2.) Design documentation must include system requirements documentation and it must apply information system security principles in modification. 3.) Audit trail regarding change management could be CCB minutes, code review meetings, code testing reports, etc. IAW CCI-001790/CM-9.

The controls below (if any) were marked by NIST as being related to CCI-000668.