CA - Assessment, Authorization, and Monitoring

  • Controls Count: 10
  • Controls IDs: CA-1, CA-2, CA-2 (1), CA-3, CA-5, CA-6, CA-7, CA-7 (1), CA-7 (4), CA-9

Controls

CA-1: Policy and Procedures

Develop, document, and disseminate to organization-defined personnel or roles:

organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

Designate an an official to manage the assessment, authorization, and monitoring policy and procedures is defined; to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

Review and update the current assessment, authorization, and monitoring:

Policy the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined; and following events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined; ; and

Procedures the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined; and following events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;.

Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

an assessment, authorization, and monitoring policy is developed and documented;

the assessment, authorization, and monitoring policy is disseminated to personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;;

assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;

the assessment, authorization, and monitoring procedures are disseminated to personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;;

the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses purpose;

the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses scope;

the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses roles;

the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses responsibilities;

the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses management commitment;

the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses coordination among organizational entities;

the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy addresses compliance;

the organization-level, mission/business process-level, and/or system-level assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

the an official to manage the assessment, authorization, and monitoring policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;

the current assessment, authorization, and monitoring policy is reviewed and updated the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;;

the current assessment, authorization, and monitoring policy is reviewed and updated following events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;;

the current assessment, authorization, and monitoring procedures are reviewed and updated the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;;

the current assessment, authorization, and monitoring procedures are reviewed and updated following events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;.

Assessment, authorization, and monitoring policy and procedures

system security plan

privacy plan

other relevant documents or records

Organizational personnel with assessment, authorization, and monitoring policy responsibilities

organizational personnel with information security and privacy responsibilities

CA-2: Control Assessments

Select the appropriate assessor or assessment team for the type of assessment to be conducted;

Develop a control assessment plan that describes the scope of the assessment including:

Controls and control enhancements under assessment;

Assessment procedures to be used to determine control effectiveness; and

Assessment environment, assessment team, and assessment roles and responsibilities;

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

Assess the controls in the system and its environment of operation the frequency at which to assess controls in the system and its environment of operation is defined; to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

Produce a control assessment report that document the results of the assessment; and

Provide the results of the control assessment to individuals or roles to whom control assessment results are to be provided are defined;.

Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.

Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.

Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.

an appropriate assessor or assessment team is selected for the type of assessment to be conducted;

a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;

a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;

a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;

a control assessment plan is developed that describes the scope of the assessment, including the assessment team;

a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;

the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

controls are assessed in the system and its environment of operation the frequency at which to assess controls in the system and its environment of operation is defined; to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

controls are assessed in the system and its environment of operation the frequency at which to assess controls in the system and its environment of operation is defined; to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;

a control assessment report is produced that documents the results of the assessment;

the results of the control assessment are provided to individuals or roles to whom control assessment results are to be provided are defined;.

Assessment, authorization, and monitoring policy

procedures addressing assessment planning

procedures addressing control assessments

control assessment plan

control assessment report

system security plan

privacy plan

other relevant documents or records

Organizational personnel with control assessment responsibilities

organizational personnel with information security and privacy responsibilities

Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting

CA-2 (1): Independent Assessors

Employ independent assessors or assessment teams to conduct control assessments.

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.

Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.

When organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.

independent assessors or assessment teams are employed to conduct control assessments.

Assessment, authorization, and monitoring policy

procedures addressing control assessments

previous control assessment plan

previous control assessment report

plan of action and milestones

existing authorization statement

system security plan

privacy plan

other relevant documents or records

Organizational personnel with security assessment responsibilities

organizational personnel with information security and privacy responsibilities

CA-3: Information Exchange

Approve and manage the exchange of information between the system and other systems using interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, non-disclosure agreements, and/or the type of agreement used to approve and manage the exchange of information is defined (if selected);;

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and

Review and update the agreements the frequency at which to review and update agreements is defined;.

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2) , may help to communicate and reduce risk.

Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

the exchange of information between the system and other systems is approved and managed using interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, non-disclosure agreements, and/or the type of agreement used to approve and manage the exchange of information is defined (if selected);;

the interface characteristics are documented as part of each exchange agreement;

security requirements are documented as part of each exchange agreement;

privacy requirements are documented as part of each exchange agreement;

controls are documented as part of each exchange agreement;

responsibilities for each system are documented as part of each exchange agreement;

the impact level of the information communicated is documented as part of each exchange agreement;

agreements are reviewed and updated the frequency at which to review and update agreements is defined;.

Access control policy

procedures addressing system connections

system and communications protection policy

system interconnection security agreements

information exchange security agreements

memoranda of understanding or agreements

service level agreements

non-disclosure agreements

system design documentation

enterprise architecture

system architecture

system configuration settings and associated documentation

system security plan

privacy plan

other relevant documents or records

Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements

organizational personnel with information security and privacy responsibilities

personnel managing the system(s) to which the interconnection security agreement applies

CA-5: Plan of Action and Milestones

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

Update existing plan of action and milestones the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined; based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;

existing plan of action and milestones are updated the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined; based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

Assessment, authorization, and monitoring policy

procedures addressing plan of action and milestones

control assessment plan

control assessment report

control assessment evidence

plan of action and milestones

system security plan

privacy plan

other relevant documents or records

Organizational personnel with plan of action and milestones development and implementation responsibilities

organizational personnel with information security and privacy responsibilities

Mechanisms for developing, implementing, and maintaining plan of action and milestones

CA-6: Authorization

Assign a senior official as the authorizing official for the system;

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

Ensure that the authorizing official for the system, before commencing operations:

Accepts the use of common controls inherited by the system; and

Authorizes the system to operate;

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

Update the authorizations frequency at which to update the authorizations is defined;.

Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.

Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

a senior official is assigned as the authorizing official for the system;

a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;

before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;

before commencing operations, the authorizing official for the system authorizes the system to operate;

the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

the authorizations are updated frequency at which to update the authorizations is defined;.

Assessment, authorization, and monitoring policy

procedures addressing authorization

system security plan, privacy plan, assessment report, plan of action and milestones

authorization statement

other relevant documents or records

Organizational personnel with authorization responsibilities

organizational personnel with information security and privacy responsibilities

Mechanisms that facilitate authorizations and updates

CA-7: Continuous Monitoring

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

Establishing the following system-level metrics to be monitored: system-level metrics to be monitored are defined;;

Establishing frequencies at which to monitor control effectiveness are defined; for monitoring and frequencies at which to assess control effectiveness are defined; for assessment of control effectiveness;

Ongoing control assessments in accordance with the continuous monitoring strategy;

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

Correlation and analysis of information generated by control assessments and monitoring;

Response actions to address results of the analysis of control assessment and monitoring information; and

Reporting the security and privacy status of the system to organization-defined personnel or roles organization-defined frequency.

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b , and SI-4.

a system-level continuous monitoring strategy is developed;

system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;

system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: system-level metrics to be monitored are defined;;

system-level continuous monitoring includes established frequencies at which to monitor control effectiveness are defined; for monitoring;

system-level continuous monitoring includes established frequencies at which to assess control effectiveness are defined; for assessment of control effectiveness;

system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;

system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;

system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;

system-level continuous monitoring includes reporting the security status of the system to personnel or roles to whom the security status of the system is reported are defined; frequency at which the security status of the system is reported is defined;;

system-level continuous monitoring includes reporting the privacy status of the system to personnel or roles to whom the privacy status of the system is reported are defined; frequency at which the privacy status of the system is reported is defined;.

Assessment, authorization, and monitoring policy

organizational continuous monitoring strategy

system-level continuous monitoring strategy

procedures addressing continuous monitoring of system controls

procedures addressing configuration management

control assessment report

plan of action and milestones

system monitoring records

configuration management records

impact analyses

status reports

system security plan

privacy plan

other relevant documents or records

Organizational personnel with continuous monitoring responsibilities

organizational personnel with information security and privacy responsibilities

system/network administrators

Mechanisms implementing continuous monitoring

mechanisms supporting response actions to address assessment and monitoring results

mechanisms supporting security and privacy status reporting

CA-7 (1): Independent Assessment

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services.

independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.

Assessment, authorization, and monitoring policy

organizational continuous monitoring strategy

system-level continuous monitoring strategy

procedures addressing continuous monitoring of system controls

control assessment report

plan of action and milestones

system monitoring records

impact analyses

status reports

system security plan

privacy plan

other relevant documents or records

Organizational personnel with continuous monitoring responsibilities

organizational personnel with information security and privacy responsibilities

CA-7 (4): Risk Monitoring

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

Effectiveness monitoring;

Compliance monitoring; and

Change monitoring.

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

risk monitoring is an integral part of the continuous monitoring strategy;

effectiveness monitoring is included in risk monitoring;

compliance monitoring is included in risk monitoring;

change monitoring is included in risk monitoring.

Assessment, authorization, and monitoring policy

organizational continuous monitoring strategy

system-level continuous monitoring strategy

procedures addressing continuous monitoring of system controls

assessment report

plan of action and milestones

system monitoring records

impact analyses

status reports

system security plan

privacy plan

other relevant documents or records

Organizational personnel with continuous monitoring responsibilities

organizational personnel with information security and privacy responsibilities

Mechanisms supporting risk monitoring

CA-9: Internal System Connections

Authorize internal connections of system components or classes of components requiring internal connections to the system are defined; to the system;

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

Terminate internal system connections after conditions requiring termination of internal connections are defined; ; and

Review frequency at which to review the continued need for each internal connection is defined; the continued need for each internal connection.

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

internal connections of system components or classes of components requiring internal connections to the system are defined; to the system are authorized;

for each internal connection, the interface characteristics are documented;

for each internal connection, the security requirements are documented;

for each internal connection, the privacy requirements are documented;

for each internal connection, the nature of the information communicated is documented;

internal system connections are terminated after conditions requiring termination of internal connections are defined;;

the continued need for each internal connection is reviewed frequency at which to review the continued need for each internal connection is defined;.

Assessment, authorization, and monitoring policy

access control policy

procedures addressing system connections

system and communications protection policy

system design documentation

system configuration settings and associated documentation

list of components or classes of components authorized as internal system connections

assessment report

system audit records

system security plan

privacy plan

other relevant documents or records

Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections

organizational personnel with information security and privacy responsibilities

Mechanisms supporting internal system connections