Guidance for NIST 800-171 Assessment & Compliance
SA-4(2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS |
Scroll Prev Top Next More |
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
sa-4(2) |
acquisition process | design / implementation information for security controls |
||
|
assessment objective: Determine if the organization: |
||
sa-4(2)[1] |
defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service; |
||
sa-4(2)[2] |
defines design/implementation information that the developer is to provide for the security controls to be employed (if selected); |
||
sa-4(2)[3] |
requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following: |
||
sa-4(2)[3][a] |
security-relevant external system interfaces; |
||
sa-4(2)[3][b] |
high-level design; |
||
sa-4(2)[3][c] |
low-level design; |
||
sa-4(2)[3][d] |
source code; |
||
sa-4(2)[3][e] |
hardware schematics; and/or |
||
sa-4(2)[3][f] |
organization-defined design/implementation information. |
||
potential assessment methods and objects: Examine: [select from: System and services acquisition policy; procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the information system, system components, or information system services; design and implementation information for security controls employed in the information system, system component, or information system service; other relevant documents or records]. Interview: [select from: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with responsibility for determining information system security requirements; information system developer or service provider; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for determining level of detail for system design and security controls; organizational processes for developing acquisition contracts; automated mechanisms supporting and/or implementing development of system design details]. |
|||
