Security assessment and authorization

Estimated reading time: 6 minutes

CA-1 Security Assessment And Authorization Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
  2. Reviews and updates the current:
    1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
    2. Security assessment and authorization procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CA-2 Security Assessments

Description

The organization:

  1. Develops a security assessment plan that describes the scope of the assessment including:
    1. Security controls and control enhancements under assessment;
    2. Assessment procedures to be used to determine security control effectiveness; and
    3. Assessment environment, assessment team, and assessment roles and responsibilities;
  2. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
  3. Produces a security assessment report that documents the results of the assessment; and
  4. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

Control Information

Responsible role(s) - Organization

CA-2 (1) Independent Assessors

Description

The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.

Control Information

Responsible role(s) - Organization

CA-2 (2) Specialized Assessments

Description

The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].

Control Information

Responsible role(s) - Organization

CA-2 (3) External Organizations

Description

The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].

Control Information

Responsible role(s) - Organization

CA-3 System Interconnections

Description

The organization:

  1. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
  2. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
  3. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CA-3 (1) Unclassified National Security System Connections

Description

The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].

Control Information

Responsible role(s) - Organization

CA-3 (2) Classified National Security System Connections

Description

The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device].

Control Information

Responsible role(s) - Organization

CA-3 (3) Unclassified Non-National Security System Connections

Description

The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].

Control Information

Responsible role(s) - Organization

CA-3 (4) Connections To Public Networks

Description

The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network.

Control Information

Responsible role(s) - Organization

CA-3 (5) Restrictions On External System Connections

Description

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.

Control Information

Responsible role(s) - Organization

CA-5 Plan Of Action And Milestones

Description

The organization:

  1. Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
  2. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

Control Information

Responsible role(s) - Organization

CA-5 (1) Automation Support For Accuracy / Currency

Description

The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available.

Control Information

Responsible role(s) - Organization

CA-6 Security Authorization

Description

The organization:

  1. Assigns a senior-level executive or manager as the authorizing official for the information system;
  2. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
  3. Updates the security authorization [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CA-7 Continuous Monitoring

Description

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

  1. Establishment of [Assignment: organization-defined metrics] to be monitored;
  2. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
  3. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
  4. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
  5. Correlation and analysis of security-related information generated by assessments and monitoring;
  6. Response actions to address results of the analysis of security-related information; and
  7. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CA-7 (1) Independent Assessment

Description

The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.

Control Information

Responsible role(s) - Organization

CA-7 (3) Trend Analyses

Description

The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

Control Information

Responsible role(s) - Organization

CA-8 Penetration Testing

Description

The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].

Control Information

Responsible role(s) - Organization

CA-8 (1) Independent Penetration Agent Or Team

Description

The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

Control Information

Responsible role(s) - Organization

CA-8 (2) Red Team Exercises

Description

The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement].

Control Information

Responsible role(s) - Organization

CA-9 Internal System Connections

Description

The organization:

  1. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
  2. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

Control Information

Responsible role(s) - Organization

CA-9 (1) Security Compliance Checks

Description

The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Security assessment and authorization