Control: The organisation:
A. Develops a security assessment plan that describes the scope of the assessment including:
- Security controls and control enhancements under assessment;
- Assessment procedures to be used to determine security control effectiveness; and
- Assessment environment, assessment team, and assessment roles and responsibilities;
D. Provides the results of the security control assessment to `{`Assignment: organisation-defined individuals or roles`}`.
Supplemental Guidance: Organisations assess security controls in organisational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorisations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organisational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorisation processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organisations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organisations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organisational security authorisation processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorisation decisions are provided to authorising officials or authorising official designated representatives.
To satisfy annual assessment requirements, organisations can use assessment results from the following sources: (i) initial or ongoing information system authorisations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organisations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorisations and in accordance with OMB policy, organisations assess security controls during continuous monitoring. Organisations establish the frequency for ongoing security control assessments in accordance with organisational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.
Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4.
Security Assessments Control Enhancements:
CA-2 (1) Security Assessments - Independent Assessors
The organisation employs assessors or assessment teams with [Assignment: organisation-defined level of independence] to conduct security control assessments.
Supplemental Guidance: Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organisational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organisational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organisations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organisations they are serving; or (iv) place themselves in positions of advocacy for the organisations acquiring their services. Independent assessments can be obtained from elements within organisations or can be contracted to public or private sector entities outside of organisations. Authorising officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organisational operations, organisational assets, or individuals. Authorising officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organisations that own the information systems are small or organisational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analysed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organisations recognise that assessments performed for purposes other than direct support to authorisation decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments.
CA-2 (2) Security Assessments - Specialised Assessments
The organisation includes as part of security control assessments, [Assignment: organisation- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organisation-defined other forms of security assessment]].
Supplemental Guidance: Organisations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organisational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organisations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorising officials approve the assessment methods in coordination with the organisational risk executive function. Organisations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes.
CA-2 (3) Security Assessments - External Organisations
The organisation accepts the results of an assessment of [Assignment: organisation-defined information system] performed by [Assignment: organisation-defined external organisation] when the assessment meets [Assignment: organisation-defined requirements].
Supplemental Guidance: Organisations may often rely on assessments of specific information systems by other (external) organisations. Utilising such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organisational assessments by limiting the amount of independent assessment activities that organisations need to perform. The factors that organisations may consider in determining whether to accept assessment results from external organisations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organisation has had with another organisation, the reputation that organisations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organisations by federal legislation, policies, or directives.