SA-11 Developer Security Testing

Control: The organization requires that information system developers create a security test and evaluation plan, implement the plan, and document the results.

Supplemental Guidance: Developmental security test results are used to the greatest extent feasible after verification of the results and recognizing that these results are impacted whenever there have been security relevant modifications to the information system subsequent to developer testing. Test results may be used in support of the security certification and accreditation process for the delivered information system.

Related security controls: CA-2, CA-4.

Control Enhancements: None.

Baseline: LOW Not Selected MOD SA-11 HIGH SA-11

Family: System And Services Acquisition

Class: Management