Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-10

developer configuration management

assessment objective:

Determine if the organization:

sa-10(a)

requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:

sa-10(a)[1]

system, component, or service design;

sa-10(a)[2]

system, component, or service development;

sa-10(a)[3]

system, component, or service implementation; and/or

sa-10(a)[4]

system, component, or service operation;

sa-10(b)

sa-10(b)[1]

defines configuration items to be placed under configuration management;

sa-10(b)[2]

requires the developer of the information system, system component, or information system service to:

sa-10(b)[2][a]

document the integrity of changes to organization-defined items under configuration management;

sa-10(b)[2][b]

manage the integrity of changes to organization-defined items under configuration management;

sa-10(b)[2][c]

control the integrity of changes to organization-defined items under configuration management;

sa-10(c)

requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;

sa-10(d)

requires the developer of the information system, system component, or information system service to document:

sa-10(d)[1]

approved changes to the system, component, or service;

sa-10(d)[2]

the potential security impacts of such changes;

sa-10(e)

sa-10(e)[1]

defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;

sa-10(e)[2]

requires the developer of the information system, system component, or information system service to:

sa-10(e)[2][a]

track security flaws within the system, component, or service;

sa-10(e)[2][b]

track security flaw resolution within the system, component, or service; and

sa-10(e)[2][c]

report findings to organization-defined personnel.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; system developer configuration management plan; security flaw and flaw resolution tracking records; system change authorization records; change control records; configuration management records; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers].

Test: [select from: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management].