NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-11(3)Independent Verification of Assessment Plans and Evidence

Require an independent agent satisfying {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Independent agents have the qualifications—including the expertise, skills, training, certifications, and experience—to verify the correct implementation of developer security and privacy assessment plans.

Practitioner Notes

Have someone independent of the development team verify that the security test plans are adequate and that the test results are accurate. This prevents the 'grading your own homework' problem.

Example 1: Before accepting a vendor's claim that their product passed security testing, have your security team or an independent third party review the test plan and results. Verify that the tests covered the right attack scenarios and that the results demonstrate adequate security, not just that tests ran.

Example 2: For internal development, require the security team (separate from the development team) to review security test plans before testing begins and validate a sample of test results after testing completes. This independent verification ensures testing is thorough and results are trustworthy.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment