SA-12(7): Assessments Prior To Selection / Acceptance / Update
Control Family:
Parent Control:
Baselines:
(Not part of any baseline)
Control is withdrawn in the next version of this control set and incorporated into: SR-5(2): Assessments Prior to Selection, Acceptance, Modification, or Update.
Control Statement
The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.
Supplemental Guidance
Assessments include, for example, testing, evaluations, reviews, and analyses. Independent, third-party entities or organizational personnel conduct assessments of systems, components, products, tools, and services. Organizations conduct assessments to uncover unintentional vulnerabilities and intentional vulnerabilities including, for example, malicious code, malicious processes, defective software, and counterfeits. Assessments can include, for example, static analyses, dynamic analyses, simulations, white, gray, and black box testing, fuzz testing, penetration testing, and ensuring that components or services are genuine (e.g., using tags, cryptographic hash verifications, or digital signatures). Evidence generated during security assessments is documented for follow-on actions carried out by organizations.