Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-4(3)

acquisition process  | development methods / techniques / practices

assessment objective:

Determine if the organization:

sa-4(3)[1]

defines state-of-the-practice system/security engineering methods to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;

sa-4(3)[2]

defines software development methods to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;

sa-4(3)[3]

defines testing/evaluation/validation techniques to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;

sa-4(3)[4]

defines quality control processes to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;

sa-4(3)[5]

requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes:

sa-4(3)[5][a]

organization-defined state-of-the-practice system/security engineering methods;

sa-4(3)[5][b]

organization-defined software development methods;

sa-4(3)[5][c]

organization-defined testing/evaluation/validation techniques; and

sa-4(3)[5][d]

organization-defined quality control processes.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the information system, system component, or information system service; list of system/security engineering methods to be included in developer’s system development life cycle process; list of software development methods to be included in developer’s system development  life cycle process; list of testing/evaluation/validation techniques to be included in developer’s system development life cycle process; list of quality control processes to be included in developer’s system development life cycle process; other relevant documents or records].

Interview: [select from: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with responsibility for determining information system security requirements; organizational personnel with information security and system life cycle responsibilities; information system developer or service provider].

Test: [select from: Organizational processes for development methods, techniques, and processes].