zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-03 16:32:15 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/compliance/dist/system-security-plans/ato/sa-11.md
Logan McDonald 1d3dfdb8d5
Add compliance documentation to source control (#116) 
* add initial setup of compliance-trestle
2022-09-14 08:46:43 -04:00

5.8 KiB
Raw Blame History

implementation-status control-origination
c-not-implemented
c-inherited-cloud-gov
c-inherited-cisa
c-common-control
c-system-specific-control

sa-11 - [catalog] Developer Testing and Evaluation

Control Statement

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

  • [a] Develop and implement a plan for ongoing security and privacy control assessments;

  • [b] Perform No value found testing/evaluation frequency to conduct at depth and coverage;

  • [c] Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;

  • [d] Implement a verifiable flaw remediation process; and

  • [e] Correct flaws identified during testing and evaluation.

Control guidance

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.

Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

Control assessment-objective

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments; the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments; the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments; the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments; the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform No value found testing/evaluation frequency to conduct at depth and coverage; the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan; the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation; the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process; the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.

What is the solution and how is it implemented?

Implementation a.

Add control implementation description here for item sa-11_smt.a

Implementation b.

Add control implementation description here for item sa-11_smt.b

Implementation c.

Add control implementation description here for item sa-11_smt.c

Implementation d.

Add control implementation description here for item sa-11_smt.d

Implementation e.

Add control implementation description here for item sa-11_smt.e