NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-11(7)Verify Scope of Testing and Evaluation

Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: {{ insert: param, sa-11.7_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Verifying that testing and evaluation provides complete coverage of required controls can be accomplished by a variety of analytic techniques ranging from informal to formal. Each of these techniques provides an increasing level of assurance that corresponds to the degree of formality of the analysis. Rigorously demonstrating control coverage at the highest levels of assurance can be achieved using formal modeling and analysis techniques, including correlation between control implementation and corresponding test cases.

Practitioner Notes

Verify that the scope of security testing and evaluation actually covers the security requirements. Testing that misses critical areas provides false confidence.

Example 1: Create a traceability matrix that maps each security requirement to the test cases that validate it. Before accepting test results, verify that every requirement has at least one corresponding test case and that the test was actually executed with a pass result.

Example 2: In your CI/CD pipeline, implement code coverage metrics for security tests. Track what percentage of security-critical code paths are covered by automated tests. Set a minimum coverage threshold (e.g., 80% for security modules) and fail the build if coverage drops below it.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment