Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-11(5)

developer security testing and evaluation  | penetration testing / analysis

assessment objective:

Determine if the organization:

sa-11(5)[1]

defines for the developer of the information system, system component, or information system service:

sa-11(5)[1][a]

the breadth of penetration testing to be performed by the developer;

sa-11(5)[1][b]

the depth of penetration testing to be performed by the developer;

sa-11(5)[2]

defines constraints under which the developer is to perform penetration testing; and

sa-11(5)[3]

requires the developer of the information system, system component, or information system service to perform penetration testing at organization-defined breadth/depth and with organization-defined constraints.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; system developer penetration testing and evaluation plans; system developer penetration testing and evaluation results;  other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent].

Test: [select from: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation].