Navigate

SA-11 (3)

SA-11 (3): Independent Verification Of Assessment Plans / Evidence

The organization:

SA-11 (3)(a): Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and

SA-11 (3)(b): Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.

Supplemental

Independent agents have the necessary qualifications (i.e., expertise, skills, training, and experience) to verify the correct implementation of developer security assessment plans.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), Int-A, Int-B, Int-C, Space Platform

Related Controls

The controls below (if any) were marked by NIST as being related to SA-11 (3).

Control	Description
AT-3	The organization provides role-based security training to personnel with assigned security roles and responsibilities: AT-3a.: Before authorizing access to the information system or performing assigned duties; AT-3b.: When required by information system changes; and AT-3c.: [Assignment: organization-defined frequency] thereafter.
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7a.: Establishment of [Assignment: organization-defined metrics] to be monitored; CA-7b.: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7c.: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; CA-7d.: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; CA-7e.: Correlation and analysis of security-related information generated by assessments and monitoring; CA-7f.: Response actions to address results of the analysis of security-related information; and CA-7g.: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
RA-5	The organization: RA-5a.: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5b.: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.1.: Enumerating platforms, software flaws, and improper configurations; RA-5b.2.: Formatting checklists and test procedures; and RA-5b.3.: Measuring vulnerability impact; RA-5c.: Analyzes vulnerability scan reports and results from security control assessments; RA-5d.: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and RA-5e.: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
SA-12	The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.

Enhancements

The controls below (if any) add on to the requirements of SA-11 (3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-11 (3).

CCI	Definition
CCI-003183	The organization requires an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan.
CCI-003184	The organization requires an independent agent satisfying organization-defined independence criteria to verify the evidence produced during security testing/evaluation.
CCI-003185	The organization defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation.
CCI-003186	The organization ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information.