Assessment, Authorization, and Monitoring (CA)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and
• c. Review and update the current assessment, authorization, and monitoring:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
• b. Develop a control assessment plan that describes the scope of the assessment including:
  • 1. Controls and control enhancements under assessment;
  • 2. Assessment procedures to be used to determine control effectiveness; and
  • 3. Assessment environment, assessment team, and assessment roles and responsibilities;
• c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
• d. Assess the controls in the system and its environment of operation [Assignment: organization-defined assessment frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
• e. Produce a control assessment report that document the results of the assessment; and
• f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].

External Link for Additional Information: myctrl.tools

Employ independent assessors or assessment teams to conduct control assessments.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Include as part of control assessments, [Assignment: organization-defined specialized assessment frequency], [Selection: one of: announced; unannounced], [Selection: one or more of: in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Leverage the results of control assessments performed by [Assignment: organization-defined external organization(s)] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements].

External Link for Additional Information: myctrl.tools

• a. Approve and manage the exchange of information between the system and other systems using [Selection: one or more of: interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; non-disclosure agreements];
• b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
• c. Review and update the agreements [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and
• (b) Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
• b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Assign a senior official as the authorizing official for the system;
• b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
• c. Ensure that the authorizing official for the system, before commencing operations:
  • 1. Accepts the use of common controls inherited by the system; and
  • 2. Authorizes the system to operate;
• d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
• e. Update the authorizations [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

• a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
• b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
• c. Ongoing control assessments in accordance with the continuous monitoring strategy;
• d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
• e. Correlation and analysis of information generated by control assessments and monitoring;
• f. Response actions to address results of the analysis of control assessment and monitoring information; and
• g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

External Link for Additional Information: myctrl.tools

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

• (a) Effectiveness monitoring;
• (b) Compliance monitoring; and
• (c) Change monitoring.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined system(s) or system components].

External Link for Additional Information: myctrl.tools

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: one or more of: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Authorize internal connections of [Assignment: organization-defined system components] to the system;
• b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
• c. Terminate internal system connections after [Assignment: organization-defined conditions]; and
• d. Review [Assignment: organization-defined frequency] the continued need for each internal connection.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools