Navigate

CM-4 (2)

CM-4 (2): Verification Of Security Functions

The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.

Supplemental

Implementation is this context refers to installing changed code in the operational information system.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), NC3, Privacy (High), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to CM-4 (2).

Control	Description
SA-11	The organization requires the developer of the information system, system component, or information system service to: SA-11a.: Create and implement a security assessment plan; SA-11b.: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; SA-11c.: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; SA-11d.: Implement a verifiable flaw remediation process; and SA-11e.: Correct flaws identified during security testing/evaluation.

Control

Description

SA-11

The organization requires the developer of the information system, system component, or information system service to:

SA-11a.: Create and implement a security assessment plan;

SA-11b.: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];

SA-11c.: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

SA-11d.: Implement a verifiable flaw remediation process; and

SA-11e.: Correct flaws identified during security testing/evaluation.

Enhancements

The controls below (if any) add on to the requirements of CM-4 (2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-4 (2).

CCI	Definition
CCI-000335	The organization, after the information system is changed, checks the security functions to verify the functions are implemented correctly.
CCI-000336	The organization, after the information system is changed, checks the security functions to verify the functions are operating as intended.
CCI-000337	The organization, after the information system is changed, checks the security functions to verify the functions are producing the desired outcome with regard to meeting the security requirements for the system.