Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-15(1)

development process, standards, and tools  | quality metrics

assessment objective:

Determine if the organization:

sa-15(1)(a)

requires the developer of the information system, system component, or information system service to define quality metrics at the beginning of the development process;

sa-15(1)(b)

sa-15(1)(b)[1]

defines a frequency to provide evidence of meeting the quality metrics;

sa-15(1)(b)[2]

defines program review milestones to provide evidence of meeting the quality metrics;

sa-15(1)(b)[3]

requires the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics one or more of the following:

sa-15(1)(b)[3][a]

with the organization-defined frequency;

sa-15(1)(b)[3][b]

in accordance with the organization-defined program review milestones; and/or

sa-15(1)(b)[3][c]

upon delivery of the information system, system component, or information system service.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing development process, standards, and tools; procedures addressing the integration of security requirements into the acquisition process; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; list of quality metrics; documentation evidence of meeting quality metrics; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; system developer].