Xylok Scanner CCIs

Number	Definition	Status	Related
CCI-003211	The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.	Deprecated	SA-12(9)
CCI-003212	The organization employs organization-defined security safeguards to validate that the information system or system component received is genuine and has not been altered.	Draft	SA-12(10)
CCI-003213	The organization defines the security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered.	Draft	SA-12(10)
CCI-003214	The organization employs organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service.	Draft	SA-12(11)
CCI-003215	The organization defines the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing.	Draft	SA-12(11)
CCI-003216	The organization establishes inter-organizational agreements with entities involved in the supply chain for the information system, system component, or information system service.	Draft	SA-12(12)
CCI-003217	The organization establishes inter-organizational procedures with entities involved in the supply chain for the information system, system component, or information system service.	Draft	SA-12(12)
CCI-003218	The organization employs organization-defined security safeguards to ensure an adequate supply of organization-defined critical information system components.	Draft	SA-12(13)
CCI-003219	The organization defines the security safeguards to be employed to ensure an adequate supply of organization-defined critical information system components.	Draft	SA-12(13)
CCI-003220	The organization defines the critical information system components for which organization-defined security safeguards are employed to ensure adequate supply.	Draft	SA-12(13)
CCI-003221	The organization establishes unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.	Draft	SA-12(14)
CCI-003222	The organization retains unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.	Draft	SA-12(14)
CCI-003223	The organization defines the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification.	Draft	SA-12(14)
CCI-003224	The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.	Draft	SA-12(15)
CCI-003225	The organization describes the trustworthiness required in the organization-defined information system, information system component, or information system service supporting its critical missions/business functions.	Draft	SA-13
CCI-003226	The organization defines the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described.	Draft	SA-13
CCI-003227	The organization implements an organization-defined assurance overlay to achieve trustworthiness required to support its critical missions/business functions.	Draft	SA-13
CCI-003228	The organization defines an assurance overlay to be implemented to achieve trustworthiness required to support its critical missions/business functions.	Draft	SA-13
CCI-003229	The organization identifies critical information system components by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.	Draft	SA-14
CCI-003230	The organization identifies critical information system functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.	Draft	SA-14
CCI-003231	The organization defines the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis.	Draft	SA-14
CCI-003232	The organization defines the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components, or information system services.	Draft	SA-14
CCI-003233	Require the developer of the system, system component, or system service to follow a documented development process.	Draft	SA-15
CCI-003234	Require the developer of the system, system component, or system service to follow a documented development process that explicitly addresses security requirements.	Draft	SA-15
CCI-003235	Require the developer of the system, system component, or system service to follow a documented development process that identifies the standards used in the development process.	Draft	SA-15
CCI-003236	Require the developer of the system, system component, or system service to follow a documented development process that identifies the tools used in the development process.	Draft	SA-15
CCI-003237	Require the developer of the system, system component, or system service to follow a documented development process that documents the specific tool options and tool configurations used in the development process.	Draft	SA-15
CCI-003238	Require the developer of the system, system component, or system service to follow a documented development process that documents changes to the process and/or tools used in development.	Draft	SA-15
CCI-003239	Require the developer of the system, system component, or system service to follow a documented development process that manages changes to the process and/or tools used in development.	Draft	SA-15
CCI-003240	Require the developer of the system, system component, or system service to follow a documented development process that ensures the integrity of changes to the process and/or tools used in development.	Draft	SA-15

CCI-003211

The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.

Deprecated

SA-12(9)

CCI-003212

The organization employs organization-defined security safeguards to validate that the information system or system component received is genuine and has not been altered.

Draft

SA-12(10)

CCI-003213

The organization defines the security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered.

Draft

SA-12(10)