The [organization] shall employ independent third-party analysis and penetration testing of all software (COTS, FOSS, Custom) associated with the system, system components, or system services.{CA-2,CA-2(1),CA-8(1),CM-10(1),SA-9,SA-11(3),SA-12(11),SI-3,SI-3(10),SR-4(4),SR-6(1)}
|
|
The [organization] shall conduct control assessments of the information system using independent assessors.{CA-2(1)}
|
Independent assessors shall be individuals or entities external to the operational chain of command and not involved in the development, implementation, or operations of the system under assessment.
|
The [organization] shall establish and maintain processes to manage and oversee independent assessors, including their qualifications, roles, and responsibilities.{CA-2(1),CA-7(1)}
|
Independent assessors shall be individuals or entities external to the operational chain of command and not involved in the development, implementation, or operations of the system under assessment.
|