SA-11(3): Independent Verification of Assessment Plans and Evidence

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Previous Version:

Control Statement

  1. Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and
  2. Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.

Supplemental Guidance

Independent agents have the qualifications-including the expertise, skills, training, certifications, and experience-to verify the correct implementation of developer security and privacy assessment plans.