CA - Assessment, Authorization, and Monitoring

Controls Count: 2
Controls IDs: CA-2 (1), CA-7 (1)

Controls

CA-2 (1): Independent Assessors

Employ independent assessors or assessment teams to conduct control assessments.

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.

Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.

When organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.

independent assessors or assessment teams are employed to conduct control assessments.

Assessment, authorization, and monitoring policy

procedures addressing control assessments

previous control assessment plan

previous control assessment report

plan of action and milestones

existing authorization statement

system security plan

privacy plan

CA-7 (1): Independent Assessment

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services.

independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.

Assessment, authorization, and monitoring policy

organizational continuous monitoring strategy

system-level continuous monitoring strategy

procedures addressing continuous monitoring of system controls

control assessment report

plan of action and milestones

system monitoring records

impact analyses

status reports

system security plan

privacy plan