SA-11(3)—Independent Verification Of Assessment Plans And Evidence
>Control Description
a
Require an independent agent satisfying ⚙organization-defined independence criteria to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and
b
Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
>Supplemental Guidance
Independent agents have the qualifications--including the expertise, skills, training, certifications, and experience--to verify the correct implementation of developer security and privacy assessment plans.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What acquisition policies and procedures address the requirements of SA-11(3)?
- •How are security and privacy requirements integrated into the acquisition process?
- •Who is responsible for ensuring that acquisitions comply with SA-11(3)?
Technical Implementation:
- •How are security requirements defined and documented in acquisition contracts?
- •What mechanisms ensure that acquired systems and services meet security requirements?
- •How do you validate that vendors and service providers comply with specified security controls?
- •What secure coding practices and standards are required for developers?
Evidence & Documentation:
- •Can you provide examples of acquisition documentation that includes security requirements?
- •What evidence demonstrates that acquired systems meet security specifications?
- •Where is acquisition security documentation maintained throughout the system lifecycle?
- •Can you provide code review or static analysis results?
Ask AI
Configure your API key to use AI features.