SA-11(3): Independent Verification Of Assessment Plans / Evidence

Control Family:

System And Services Acquisition

Parent Control:

SA-11: Developer Security Testing And Evaluation

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SA-11(3): Independent Verification of Assessment Plans and Evidence

Control Statement

The organization:

Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.

Supplemental Guidance

Independent agents have the necessary qualifications (i.e., expertise, skills, training, and experience) to verify the correct implementation of developer security assessment plans.