CA - Assessment, Authorization, and Monitoring
- Controls Count: 4
- Controls IDs: CA-2 (2), CA-3 (6), CA-8, CA-8 (1)
Controls
CA-2 (2): Specialized Assessments
Include as part of control assessments, frequency at which to include specialized assessments as part of the control assessment is defined;, announcedorunannounced, in-depth monitoring, security instrumentation, automated security test cases, vulnerability scanning, malicious user testing, insider threat assessment, performance and load testing, data leakage or data loss assessment, and/or other forms of assessment are defined (if selected);.
Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing).
frequency at which to include specialized assessments as part of the control assessment is defined; announcedorunannounced in-depth monitoring, security instrumentation, automated security test cases, vulnerability scanning, malicious user testing, insider threat assessment, performance and load testing, data leakage or data loss assessment, and/or other forms of assessment are defined (if selected); are included as part of control assessments.
Assessment, authorization, and monitoring policy
procedures addressing control assessments
control assessment plan
control assessment report
control assessment evidence
system security plan
privacy plan
other relevant documents or records
Organizational personnel with control assessment responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms supporting control assessment
CA-3 (6): Transfer Authorizations
Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays).
individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
Access control policy
procedures addressing system connections
system and communications protection policy
system interconnection agreements
information exchange security agreements
memoranda of understanding or agreements
service level agreements
non-disclosure agreements
system design documentation
system configuration settings and associated documentation
control assessment report
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for managing connections to external systems
network administrators
organizational personnel with information security and privacy responsibilities
Mechanisms implementing restrictions on external system connections
CA-8: Penetration Testing
Conduct penetration testing frequency at which to conduct penetration testing on systems or system components is defined; on systems or system components on which penetration testing is to be conducted are defined;.
Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).
Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.
penetration testing is conducted frequency at which to conduct penetration testing on systems or system components is defined; on systems or system components on which penetration testing is to be conducted are defined;.
Assessment, authorization, and monitoring policy
procedures addressing penetration testing
assessment plan
penetration test report
assessment report
assessment evidence
system security plan
privacy plan
other relevant documents or records
Organizational personnel with control assessment responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms supporting penetration testing
CA-8 (1): Independent Penetration Testing Agent or Team
Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.
Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing.
an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.
Assessment, authorization, and monitoring policy
procedures addressing penetration testing
assessment plan
penetration test report
assessment report
security assessment evidence
system security plan
privacy plan
other relevant documents or records
Organizational personnel with assessment responsibilities
organizational personnel with information security and privacy responsibilities