Back

Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets.


CONTROL ID
01447
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include security requirements in system acquisition contracts., CC ID: 01124

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Software package acquisition is an alternative to in-house systems development and should be subject to broadly similar controls as the project life cycle. As inappropriate handling of software licences may expose AIs to a significant risk of patent infringement, and financial and reputation losses,… (4.2.5, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The developer should develop a test plan to test all security requirements to ensure they function correctly. (§ 18.3, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The actual (evaluator's) results should be compared with the expected results and the results of the developer's testing to determine how much testing was completed during the development of the product. A sampling of about 20% of the tests in the developer's test plan and the associated procedures … (§ 11.8.3.4.11, § 11.8.3.4.12, § 11.8.4.5, § 12.9.4.4.11, § 12.9.4.4.12, § 12.9.5.5, § 13.9.4.4.11, § 13.9.4.4.12, § 13.9.5.5, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Create and implement a security assessment plan; (SA-11a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Create and implement a security assessment plan; (SA-11a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. (SA-11(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Create and implement a security assessment plan; (SA-11a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. (SA-11(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The device manufacturer needs to define the objective criteria for determining acceptable performance. (§ 6.2 ¶ 2 Bullet 3, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The device manufacturer is ultimately responsible for ensuring the production and quality system software is validated in accordance with a written procedure for its intended use. (§ 6.2 ¶ 4 Bullet 1, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The device manufacturer is ultimately responsible for ensuring the production and quality system software performs as intended in the application. (§ 6.2 ¶ 4 Bullet 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The device manufacturer should have documentation, including the acceptance criteria, that objectively confirms the software is validated for its use. (§ 6.2 ¶ 5 Bullet 3, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The device manufacturer should have documentation, including test cases and results, that objectively confirms the software is validated for its use. (§ 6.2 ¶ 5 Bullet 4, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The device manufacturer should have documentation, including a validation summary, that objectively confirms the software is validated for its use. (§ 6.2 ¶ 5 Bullet 5, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. (SA-11(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Create and implement a security assessment plan; (SA-11a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. (SA-11(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Create and implement a security assessment plan; (SA-11a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: (SA-11(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; (SA-11(2) ¶ 1(a), FedRAMP Security Controls High Baseline, Version 5)
  • Employs the following tools and methods: [Assignment: organization-defined tools and methods]; (SA-11(2) ¶ 1(b), FedRAMP Security Controls High Baseline, Version 5)
  • Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and (SA-11(2) ¶ 1(c), FedRAMP Security Controls High Baseline, Version 5)
  • Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria]. (SA-11(2) ¶ 1(d), FedRAMP Security Controls High Baseline, Version 5)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., FedRAMP Security Controls High Baseline, Version 5)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., FedRAMP Security Controls High Baseline, Version 5)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., FedRAMP Security Controls High Baseline, Version 5)
  • Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: (SA-11(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; (SA-11(2) ¶ 1(a), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Employs the following tools and methods: [Assignment: organization-defined tools and methods]; (SA-11(2) ¶ 1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and (SA-11(2) ¶ 1(c), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria]. (SA-11(2) ¶ 1(d), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure security tests and evaluations are performed on any system under development; the test results are documented and included in the Plan of Action and Milestones, the developer tests the system on a regular basis; and specific responsib… (SA-11, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Create and implement a security assessment plan; (SA-11a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Create and implement a security assessment plan; (SA-11a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conduct functional and connectivity testing to ensure continuing operability. (T0029, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should require smart grid Information System developers and integrators to provide an integrity check of all the firmware and software that is delivered to the organization. (SG.SA-9 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system developer must create a Security Test and Evaluation plan. (SG.SA-10 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system developer must submit the Security Test and Evaluation plan for approval and implement the plan after approval is received. (SG.SA-10 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system developer must document the testing and evaluation results and submit them for approval. (SG.SA-10 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should require software vendors and manufacturers to demonstrate that the software development process uses state-of-the-practice software and security engineering methods, Quality Control processes, and validation techniques to minimize any malformed or flawed software. (App F § SA-4(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must require system developers and integrators, in consultation with security personnel and security engineers, to create and implement a Security Test and Evaluation plan. (App F § SA-11.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must require system developers and integrators, in consultation with security personnel and security engineers, to document the security testing results, evaluation results, and flaw remediation results. (App F § SA-11.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should require system developers and integrators to create a Security Test and Evaluation plan and implement the plan with an Independent Verification and Validation agent. (App F § SA-11(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must require system developers and integrators to conduct a covert channel analysis to identify any potential avenues for covert storage and timing channels. (App F § SC-31, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Conduct functional and connectivity testing to ensure continuing operability. (T0029, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes {organizationally documented state-of-the-practice system/security engineering methods, software development meth… (SA-4(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to create and implement a security assessment plan. (SA-11a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {unit} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {integration} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {system} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {regression} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation. (SA-11c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. (SA-11(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to create and implement a security assessment plan. (SA-11a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {unit} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {integration} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {system} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {regression} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation. (SA-11c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to create and implement a security assessment plan. (SA-11a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {unit} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {integration} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {system} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform {regression} testing/evaluation at {organizationally documented depth and coverage}. (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation. (SA-11c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Create and implement a security assessment plan; (SA-11a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Create and implement a security assessment plan; (SA-11a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. (SA-11(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Create and implement a security assessment plan; (SA-11a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation]. (SA-11(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development… (SA-4(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: (SA-11(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; (SA-11(2) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employs the following tools and methods: [Assignment: organization-defined tools and methods]; (SA-11(2) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and (SA-11(2) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria]. (SA-11(2) ¶ 1(d), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes]. (SA-4(3) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. (SA-11(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation]. (SA-11(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: (SA-11(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; (SA-11(2) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employs the following tools and methods: [Assignment: organization-defined tools and methods]; (SA-11(2) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and (SA-11(2) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria]. (SA-11(2) ¶ 1(d), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes]. (SA-4(3) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; (SA-11c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; (SA-11b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. (SA-11(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop and implement a plan for ongoing security and privacy assessments; (SA-11a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation]. (SA-11(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Create and implement a security assessment plan; (SA-11a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; (SA-11c., TX-RAMP Security Controls Baseline Level 2)
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; (SA-11b., TX-RAMP Security Controls Baseline Level 2)
  • Create and implement a security assessment plan; (SA-11a., TX-RAMP Security Controls Baseline Level 2)
  • The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. (SA-11(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)