| Trustmark Definition Name | Version |
|---|---|
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization: (a) Requires an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and (b) Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform penetration testing at organization-defined breadth/depth and with organization-defined constraints.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at organization-defined depth of testing/evaluation.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents the specific tool options and tool configurations used in the development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents, manages, and ensures the integrity of changes to the process used in development.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization reviews the development process, standards, tools, and tool options/configurations at an organization-defined frequency to determine if the process employed can satisfy organization-defined security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that explicitly addresses security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization reviews the development process, standards, tools, and tool options/configurations at an organization-defined frequency to determine if the standards employed can satisfy organization-defined security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization reviews the development process, standards, tools, and tool options/configurations at an organization-defined frequency to determine if the tool options/configurations selected and employed can satisfy organization-defined security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents, manages, and ensures the integrity of changes to the tools used in development.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization reviews the development process, standards, tools, and tool options/configurations at an organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that identifies the standards and tools used in the development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to organization-defined thresholds.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to: (a) Perform an automated vulnerability analysis using organization-defined tools; (b) Determine the exploitation potential for discovered vulnerabilities; (c) Determine potential risk mitigations for delivered vulnerabilities; and (d) Deliver the outputs of the tools and results of the analysis to organization-defined personnel or roles. .
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to provide an incident response plan.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to: (a) Define quality metrics at the beginning of the development process; and (b) Provide evidence of meeting the quality metrics [Selection (one or more): organization-defined frequency; organization-defined program review milestones; upon delivery. .
|
1.0 |
