Navigate

SA-12 (7)

SA-12 (7): Assessments Prior To Selection / Acceptance / Update

The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

Supplemental

Assessments include, for example, testing, evaluations, reviews, and analyses. Independent, third-party entities or organizational personnel conduct assessments of systems, components, products, tools, and services. Organizations conduct assessments to uncover unintentional vulnerabilities and intentional vulnerabilities including, for example, malicious code, malicious processes, defective software, and counterfeits. Assessments can include, for example, static analyses, dynamic analyses, simulations, white, gray, and black box testing, fuzz testing, penetration testing, and ensuring that components or services are genuine (e.g., using tags, cryptographic hash verifications, or digital signatures). Evidence generated during security assessments is documented for follow-on actions carried out by organizations.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
NC3

Related Controls

The controls below (if any) were marked by NIST as being related to SA-12 (7).

Control	Description
CA-2	The organization: CA-2a.: Develops a security assessment plan that describes the scope of the assessment including: CA-2a.1.: Security controls and control enhancements under assessment; CA-2a.2.: Assessment procedures to be used to determine security control effectiveness; and CA-2a.3.: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CA-2c.: Produces a security assessment report that documents the results of the assessment; and CA-2d.: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
SA-11	The organization requires the developer of the information system, system component, or information system service to: SA-11a.: Create and implement a security assessment plan; SA-11b.: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; SA-11c.: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; SA-11d.: Implement a verifiable flaw remediation process; and SA-11e.: Correct flaws identified during security testing/evaluation.

Control

Description

CA-2

The organization:

CA-2a.: Develops a security assessment plan that describes the scope of the assessment including:
- CA-2a.1.: Security controls and control enhancements under assessment;
- CA-2a.2.: Assessment procedures to be used to determine security control effectiveness; and
- CA-2a.3.: Assessment environment, assessment team, and assessment roles and responsibilities;

CA-2b.: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

CA-2c.: Produces a security assessment report that documents the results of the assessment; and

CA-2d.: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

SA-11

The organization requires the developer of the information system, system component, or information system service to:

SA-11a.: Create and implement a security assessment plan;

SA-11b.: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];

SA-11c.: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

SA-11d.: Implement a verifiable flaw remediation process; and

SA-11e.: Correct flaws identified during security testing/evaluation.

Enhancements

The controls below (if any) add on to the requirements of SA-12 (7).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-12 (7).

CCI	Definition
CCI-003203	The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.
CCI-003204	The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.