SA-11 (3)     Developer Security Testing And Evaluation | Independent Verification Of Assessment Plans / Evidence 

The organization:
     SA-11 (3)(a):  Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
     SA-11 (3)(b):  Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.

                    
                

            


        

    


    

        

        

            

                
Applicable CNSSI 1253 Baselines

            

        


        

            


                


                    

                        

                            

                                
Confidentiality

                            

                        

                        

                            

                                
    
                                    
  • 
                                        
                                        L
                                        
                                    
    • 
                                    
  • 
                                        
                                        M
                                        
                                    
    • 
                                    
  • 
                                        
                                        H
                                        
                                    
    • 
                                

                            

                            
                        

                    


                    

                        

                            

                                
Integrity

                            

                        

                        

                            

                                
    
                                    
  • 
                                        
                                        L
                                        
                                    
    • 
                                    
  • 
                                        
                                        M
                                        
                                    
    • 
                                    
  • 
                                        
                                        H
                                        
                                    
    • 
                                

                            

                            
                        

                    


                    

                        

                            

                                
Availability

                            

                        

                        

                            

                                
    
                                    
  • 
                                        
                                        L
                                        
                                    
    • 
                                    
  • 
                                        
                                        M
                                        
                                    
    • 
                                    
  • 
                                        
                                        H
                                        
                                    
    • 
                                

                            

                            
                        

                    


                


            


        


        
        

        

            

                
Supplemental Guidance

            

        

        

            

                
Independent agents have the necessary qualifications (i.e., expertise, skills, training, and experience) to verify the correct implementation of developer security assessment plans.

            

        

        

        
        

        

            

                
Related Controls