SA-11: Developer Testing and Evaluation

NIST Baseline: Moderate 

Privacy Baseline:  Yes 

DIR Required By:  07/20/2023 

Review Date:  08/08/2024 

• The information resource owner, or designee, shall require the developer of the information resource to document and implement a plan for ongoing security and privacy testing and evaluation. 
•  Security and privacy testing shall be performed periodically based on risk management decisions. 
• The security and privacy testing and evaluation plan shall include the following elements: 
  • Evidence of the execution of the assessment plan and the results of the testing and evaluation are documented. 
  • A verifiable flaw remediation process. 
  • A remediation plan for correcting flaws identified during testing and evaluation. 

---

References/Additional Resources

ISO 15408-3 

SP 800-30 

SP 800-53A 

SP 800-154 

SP 800-160-1