SA-11(3)—Independent Verification Of Assessment Plans And Evidence
>Control Description
a. Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and b. Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
>Supplemental Guidance
Independent agents have the qualifications—including the expertise, skills, training, certifications, and experience—to verify the correct implementation of developer security and privacy assessment plans.