Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-11

developer security testing and evaluation

assessment objective:

Determine if the organization:

sa-11(a)

requires the developer of the information system, system component, or information system service to create and implement a security plan;

sa-11(b)

sa-11(b)[1]

defines the depth of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

sa-11(b)[2]

defines the coverage of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

sa-11(b)[3]

requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage:

sa-11(b)[3][a]

unit testing/evaluation;

sa-11(b)[3][b]

integration testing/evaluation;

sa-11(b)[3][c]

system testing/evaluation; and/or

sa-11(b)[3][d]

regression testing/evaluation;

sa-11(c)

requires the developer of the information system, system component, or information system service to produce evidence of:

sa-11(c)[1]

the execution of the security assessment plan;

sa-11(c)[2]

the results of the security testing/evaluation;

sa-11(d)

requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and

sa-11(e)

requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing system developer security testing; procedures addressing flaw remediation; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; system developer security test plans; records of developer security testing results for the information system, system component, or information system service; security flaw and remediation tracking records; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers].

Test: [select from: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation].