CCI-000698

Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; software and firmware integrity verification records; system change authorization records; change control records; configuration management records; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for monitoring developer configuration management; mechanisms supporting and/or implementing the monitoring of developer configuration management].

The controls below (if any) were marked by NIST as being related to CCI-000698.