Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-11(2)

developer security testing and evaluation  | threat and vulnerability analyses

assessment objective:

Determine if the organization requires the developer of the information system, system component, or information system service to perform:

sa-11(2)[1]

threat analyses of the as-built, system component, or service;

sa-11(2)[2]

vulnerability analyses of the as-built, system component, or service; and

sa-11(2)[3]

subsequent testing/evaluation of the as-built, system component, or service.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; system developer security test plans; records of developer security testing results for the information system, system component, or information system service; vulnerability scanning results; information system risk assessment reports; threat and vulnerability analysis reports; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers].

Test: [select from: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation].