Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.