Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-21

developer screening

assessment objective:

Determine if the organization:

sa-21[1]

defines the information system, system component, or information system service for which the developer is to be screened;

sa-21[2]

defines official government duties to be used to determine appropriate access authorizations for the developer;

sa-21[3]

defines additional personnel screening criteria to be satisfied by the developer;

sa-21[4]

sa-21[4][a]

requires that the developer of organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties; and

sa-21[4][b]

requires that the developer of organization-defined information system, system component, or information system service satisfy organization-defined additional personnel screening criteria.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; personnel security policy and procedures; procedures addressing personnel screening; information system design documentation; information system configuration settings and associated documentation; list of appropriate access authorizations required by developers of the information system; personnel screening criteria and associated documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with responsibility for developer screening].

Test: [select from: Organizational processes for developer screening; automated mechanisms supporting developer screening].