SA-11(3): Independent Verification Of Assessment Plans / Evidence

CSF v1.1 References:


(Not part of any baseline)

Next Version:

Control Statement

The organization:

  1. Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
  2. Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.

Supplemental Guidance

Independent agents have the necessary qualifications (i.e., expertise, skills, training, and experience) to verify the correct implementation of developer security assessment plans.