Navigate

SA-11 (7)

SA-11 (7): Verify Scope Of Testing / Evaluation

The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation].

Supplemental

Verifying that security testing/evaluation provides complete coverage of required security controls can be accomplished by a variety of analytic techniques ranging from informal to formal. Each of these techniques provides an increasing level of assurance corresponding to the degree of formality of the analysis. Rigorously demonstrating security control coverage at the highest levels of assurance can be provided by the use of formal modeling and analysis techniques including correlation between control implementation and corresponding test cases.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), NC3

Related Controls

The controls below (if any) were marked by NIST as being related to SA-11 (7).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of SA-11 (7).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-11 (7).

CCI	Definition
CCI-003194	The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at an organization-defined depth of testing/evaluation.
CCI-003195	The organization defines the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls.