CA: Security Assessment And Authorization

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and Reviews and…

The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Assesses the security controls in the information system and its environment of operation…

The organization: Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

The organization: Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and Updates existing plan of action and milestones [Assignment: organization-defined frequency] based…

The organization: Assigns a senior-level executive or manager as the authorizing official for the information system; Ensures that the authorizing official authorizes the information system for processing before commencing operations; and Updates the security authorization [Assignment: organization-defined frequency].

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored; Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; Ongoing security status monitoring…

The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].

The organization: Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.