Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
sa-11(1) |
developer security testing and evaluation | static code analysis |
|
assessment objective: Determine if the organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis. |
potential assessment methods and objects: Examine: [select from: System and services acquisition policy; procedures addressing system developer security testing; procedures addressing flaw remediation; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; system developer security test plans; system developer security testing results; security flaw and remediation tracking records; other relevant documents or records]. Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; organizational personnel with configuration management responsibilities; system developers]. Test: [select from: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation; static code analysis tools]. |
