Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/CA/High

Template:Doc:NIST SP 800-53r3 Appendix F/CA-1

Determine if: (i) the organization develops and formally documents security assessment and authorization policy; (ii) the organization security assessment and authorization policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented security assessment and authorization policy to elements within the organization having associated security assessment and authorization roles and responsibilities; (iv) the organization develops and formally documents security assessment and authorization procedures; (v) the organization security assessment and authorization procedures facilitate implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and (vi) the organization disseminates formal documented security assessment and authorization procedures to elements within the organization having associated security assessment and authorization roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security assessment and authorization policies and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security assessment and authorization responsibilities].

Determine if: (i) the organization defines the frequency of security assessment and authorization policy reviews/updates; (ii) the organization reviews/updates security assessment and authorization policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of security assessment and authorization procedure reviews/updates; and (iv) the organization reviews/updates security assessment and authorization procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security assessment and authorization policies and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security assessment and authorization responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CA-2

Determine if: (i) the organization defines the frequency of assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; (ii) the organization assesses the security controls in the information system at the organization-defined frequency; (iii) the organization produces a security assessment report that documents the results of the security control assessment; and (iv) the results of the security control assessment are provided, in writing, to the authorizing official or authorizing official designated representative.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessments; security assessment plan; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CA-2/1

Determine if the organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessments; security authorization package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security assessment responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CA-2/2

Determine if: (i) the organization defines: the forms of security testing to be included in security control assessments, selecting from in-depth monitoring, malicious user testing, penetration testing, red team exercises, or an organization-defined form of security testing; the frequency for conducting each form of security testing; whether the security testing will be announced or unannounced; and (ii) the organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques established for each form of testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessments; security plan; security assessment plan; security assessment report; assessment evidence; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security assessment responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CA-3

Determine if: (i) the organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary); (ii) the organization authorizes connections from the information system to external information systems through the use of Interconnection Security Agreements; (iii) the organization documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and (iv) the organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information system connections; system and communications protection policy; information system interconnection security agreements; security plan; information system design documentation; security assessment report; plan of action and milestones; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements].

Template:Doc:NIST SP 800-53r3 Appendix F/CA-5

Determine if: (i) the organization develops a plan of action and milestones for the information system; (ii) the plan of action and milestones documents the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; (iii) the organization defines the frequency of plan of action and milestone updates; and (iv) the organization updates the plan of action and milestones at an organization-defined frequency with findings from: security controls assessments; security impact analyses; and continuous monitoring activities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing plan of action and milestones; security plan; security assessment plan; security assessment report; assessment evidence; plan of action and milestones; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with plan of action and milestones development and implementation responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CA-6

Determine if: (i) the organization assigns a senior-level executive or manager to the role of authorizing official for the information system; (ii) the authorizing official authorizes the information system for processing before commencing operations; (iii) the organization defines the frequency of security authorization updates; and (iv) the organization updates the security authorization in accordance with an organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security authorization; security authorization package (including security plan; security assessment report; plan of action and milestones; authorization statement); other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security authorization responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CA-7

Determine if: (i) the organization establishes a continuous monitoring strategy and program; (ii) the organization defines the frequency for reporting the security state of the information system to appropriate organizational officials; (iii) the organization defines organizational officials to whom the security state of the information system should be reported; and (iv) the organization implements a continuous monitoring program that includes: a configuration management process for the information system and its constituent components; a determination of the security impact of changes to the information system and environment of operation; ongoing security control assessments in accordance with the organizational continuous monitoring strategy; and reporting the security state of the information system to appropriate organizational officials in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing continuous monitoring of information system security controls; procedures addressing configuration management; security plan; security assessment report; plan of action and milestones; information system monitoring records; configuration management records, security impact analyses; status reports; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with continuous monitoring responsibilities; organizational personnel with configuration management responsibilities].