Navigate

SA-11(3)

SA-11(3): Independent Verification of Assessment Plans and Evidence

(a): Require an independent agent satisfying [independence criteria to be satisfied by an independent agent are defined;] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and

(b): Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.

Supplemental

Independent agents have the qualifications—including the expertise, skills, training, certifications, and experience—to verify the correct implementation of developer security and privacy assessment plans.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
CDS - Access, CDS - Multilevel, CDS - Transfer, Int-A, Int-B, Int-C

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-11(3).

Control	Description
AT-3	a: Provide role-based security and privacy training to personnel with the following roles and responsibilities: [one of ]: 1: Before authorizing access to the system, information, or performing assigned duties, and [the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;] thereafter; and 2: When required by system changes; b: Update role-based training content [the frequency at which to update role-based training content is defined;] and following [events that require role-based training content to be updated are defined;] ; and c: Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Control

Description

AT-3

a: Provide role-based security and privacy training to personnel with the following roles and responsibilities: [one of ]:
- 1: Before authorizing access to the system, information, or performing assigned duties, and [the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;] thereafter; and
- 2: When required by system changes;

b: Update role-based training content [the frequency at which to update role-based training content is defined;] and following [events that require role-based training content to be updated are defined;] ; and

c: Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

RA-5

a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported;

b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- 1: Enumerating platforms, software flaws, and improper configurations;
- 2: Formatting checklists and test procedures; and
- 3: Measuring vulnerability impact;

c: Analyze vulnerability scan reports and results from vulnerability monitoring;

d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk;

e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and

f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Enhancements

The controls below (if any) add on to the requirements of SA-11(3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-11(3).

CCI	Definition
CCI-003183	Require an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan.
CCI-003184	Require an independent agent satisfying organization-defined independence criteria to verify the evidence produced during security testing and evaluation.
CCI-003185	Defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing and evaluation.
CCI-003186	Verify that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information.
CCI-004809	Require an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer privacy assessment plan.
CCI-004810	Require an independent agent satisfying organization-defined independence criteria to verify the evidence produced during privacy testing and evaluation.
CCI-004811	Defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer privacy assessment plan and the evidence produced during privacy testing and evaluation.