CA - Assessment, Authorization, and Monitoring
- Controls Count: 8
- Controls IDs: CA-1, CA-2, CA-3, CA-5, CA-6, CA-7, CA-7 (4), CA-9
Controls
CA-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;
Designate an an official to manage the assessment, authorization, and monitoring policy and procedures is defined; to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and
Review and update the current assessment, authorization, and monitoring:
Policy the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined; and following events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined; and following events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;.
Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
an assessment, authorization, and monitoring policy is developed and documented;
the assessment, authorization, and monitoring policy is disseminated to personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;;
assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;
the assessment, authorization, and monitoring procedures are disseminated to personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses scope;
the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses roles;
the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the assessment, authorization, and monitoring policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;
the current assessment, authorization, and monitoring policy is reviewed and updated the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;;
the current assessment, authorization, and monitoring policy is reviewed and updated following events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;;
the current assessment, authorization, and monitoring procedures are reviewed and updated the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;;
the current assessment, authorization, and monitoring procedures are reviewed and updated following events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;.
Assessment, authorization, and monitoring policy and procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with assessment, authorization, and monitoring policy responsibilities
organizational personnel with information security and privacy responsibilities
CA-2: Control Assessments
Select the appropriate assessor or assessment team for the type of assessment to be conducted;
Develop a control assessment plan that describes the scope of the assessment including:
Controls and control enhancements under assessment;
Assessment procedures to be used to determine control effectiveness; and
Assessment environment, assessment team, and assessment roles and responsibilities;
Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
Assess the controls in the system and its environment of operation the frequency at which to assess controls in the system and its environment of operation is defined; to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
Produce a control assessment report that document the results of the assessment; and
Provide the results of the control assessment to individuals or roles to whom control assessment results are to be provided are defined;.
Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.
Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.
Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.
Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.
an appropriate assessor or assessment team is selected for the type of assessment to be conducted;
a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;
a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;
a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;
a control assessment plan is developed that describes the scope of the assessment, including the assessment team;
a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;
the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
controls are assessed in the system and its environment of operation the frequency at which to assess controls in the system and its environment of operation is defined; to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
controls are assessed in the system and its environment of operation the frequency at which to assess controls in the system and its environment of operation is defined; to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;
a control assessment report is produced that documents the results of the assessment;
the results of the control assessment are provided to individuals or roles to whom control assessment results are to be provided are defined;.
Assessment, authorization, and monitoring policy
procedures addressing assessment planning
procedures addressing control assessments
control assessment plan
control assessment report
system security plan
privacy plan
other relevant documents or records
Organizational personnel with control assessment responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting
CA-3: Information Exchange
Approve and manage the exchange of information between the system and other systems using interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, non-disclosure agreements, and/or the type of agreement used to approve and manage the exchange of information is defined (if selected);;
Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
Review and update the agreements the frequency at which to review and update agreements is defined;.
System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2) , may help to communicate and reduce risk.
Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.
the exchange of information between the system and other systems is approved and managed using interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, non-disclosure agreements, and/or the type of agreement used to approve and manage the exchange of information is defined (if selected);;
the interface characteristics are documented as part of each exchange agreement;
security requirements are documented as part of each exchange agreement;
privacy requirements are documented as part of each exchange agreement;
controls are documented as part of each exchange agreement;
responsibilities for each system are documented as part of each exchange agreement;
the impact level of the information communicated is documented as part of each exchange agreement;
agreements are reviewed and updated the frequency at which to review and update agreements is defined;.
Access control policy
procedures addressing system connections
system and communications protection policy
system interconnection security agreements
information exchange security agreements
memoranda of understanding or agreements
service level agreements
non-disclosure agreements
system design documentation
enterprise architecture
system architecture
system configuration settings and associated documentation
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements
organizational personnel with information security and privacy responsibilities
personnel managing the system(s) to which the interconnection security agreement applies
CA-5: Plan of Action and Milestones
Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
Update existing plan of action and milestones the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined; based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.
a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;
existing plan of action and milestones are updated the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined; based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
Assessment, authorization, and monitoring policy
procedures addressing plan of action and milestones
control assessment plan
control assessment report
control assessment evidence
plan of action and milestones
system security plan
privacy plan
other relevant documents or records
Organizational personnel with plan of action and milestones development and implementation responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms for developing, implementing, and maintaining plan of action and milestones
CA-6: Authorization
Assign a senior official as the authorizing official for the system;
Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
Ensure that the authorizing official for the system, before commencing operations:
Accepts the use of common controls inherited by the system; and
Authorizes the system to operate;
Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
Update the authorizations frequency at which to update the authorizations is defined;.
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.
Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.
a senior official is assigned as the authorizing official for the system;
a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;
before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;
before commencing operations, the authorizing official for the system authorizes the system to operate;
the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
the authorizations are updated frequency at which to update the authorizations is defined;.
Assessment, authorization, and monitoring policy
procedures addressing authorization
system security plan, privacy plan, assessment report, plan of action and milestones
authorization statement
other relevant documents or records
Organizational personnel with authorization responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms that facilitate authorizations and updates
CA-7: Continuous Monitoring
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
Establishing the following system-level metrics to be monitored: system-level metrics to be monitored are defined;;
Establishing frequencies at which to monitor control effectiveness are defined; for monitoring and frequencies at which to assess control effectiveness are defined; for assessment of control effectiveness;
Ongoing control assessments in accordance with the continuous monitoring strategy;
Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
Correlation and analysis of information generated by control assessments and monitoring;
Response actions to address results of the analysis of control assessment and monitoring information; and
Reporting the security and privacy status of the system to organization-defined personnel or roles organization-defined frequency.
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.
Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b , and SI-4.
a system-level continuous monitoring strategy is developed;
system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;
system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: system-level metrics to be monitored are defined;;
system-level continuous monitoring includes established frequencies at which to monitor control effectiveness are defined; for monitoring;
system-level continuous monitoring includes established frequencies at which to assess control effectiveness are defined; for assessment of control effectiveness;
system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;
system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;
system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;
system-level continuous monitoring includes reporting the security status of the system to personnel or roles to whom the security status of the system is reported are defined; frequency at which the security status of the system is reported is defined;;
system-level continuous monitoring includes reporting the privacy status of the system to personnel or roles to whom the privacy status of the system is reported are defined; frequency at which the privacy status of the system is reported is defined;.
Assessment, authorization, and monitoring policy
organizational continuous monitoring strategy
system-level continuous monitoring strategy
procedures addressing continuous monitoring of system controls
procedures addressing configuration management
control assessment report
plan of action and milestones
system monitoring records
configuration management records
impact analyses
status reports
system security plan
privacy plan
other relevant documents or records
Organizational personnel with continuous monitoring responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms implementing continuous monitoring
mechanisms supporting response actions to address assessment and monitoring results
mechanisms supporting security and privacy status reporting
CA-7 (4): Risk Monitoring
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
Effectiveness monitoring;
Compliance monitoring; and
Change monitoring.
Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.
risk monitoring is an integral part of the continuous monitoring strategy;
effectiveness monitoring is included in risk monitoring;
compliance monitoring is included in risk monitoring;
change monitoring is included in risk monitoring.
Assessment, authorization, and monitoring policy
organizational continuous monitoring strategy
system-level continuous monitoring strategy
procedures addressing continuous monitoring of system controls
assessment report
plan of action and milestones
system monitoring records
impact analyses
status reports
system security plan
privacy plan
other relevant documents or records
Organizational personnel with continuous monitoring responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms supporting risk monitoring
CA-9: Internal System Connections
Authorize internal connections of system components or classes of components requiring internal connections to the system are defined; to the system;
Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
Terminate internal system connections after conditions requiring termination of internal connections are defined; ; and
Review frequency at which to review the continued need for each internal connection is defined; the continued need for each internal connection.
Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.
internal connections of system components or classes of components requiring internal connections to the system are defined; to the system are authorized;
for each internal connection, the interface characteristics are documented;
for each internal connection, the security requirements are documented;
for each internal connection, the privacy requirements are documented;
for each internal connection, the nature of the information communicated is documented;
internal system connections are terminated after conditions requiring termination of internal connections are defined;;
the continued need for each internal connection is reviewed frequency at which to review the continued need for each internal connection is defined;.
Assessment, authorization, and monitoring policy
access control policy
procedures addressing system connections
system and communications protection policy
system design documentation
system configuration settings and associated documentation
list of components or classes of components authorized as internal system connections
assessment report
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections
organizational personnel with information security and privacy responsibilities
Mechanisms supporting internal system connections