Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: SA-FAMILY: SYSTEM AND SERVICES ACQUISITION

SA-10(5) DEVELOPER CONFIGURATION MANAGEMENT  |  MAPPING INTEGRITY FOR VERSION CONTROL

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

 

 

 

 

 

 

 

 

 

 

 

 

###

sa-10(5)

developer configuration management  | mapping integrity for version control

 

assessment objective:

Determine if the organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; system developer configuration management plan; change control records; configuration management records; version control change/update records; integrity verification records between master copies of security-relevant hardware, software, and firmware (including designs and source code); other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers].

Test: [select from: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056