CA-2—Security Assessments

Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) TBS requirement for periodic assessments as required in Operational Security Standard – Management of Information Technology Security [Reference 7]; (iii) continuous monitoring; and (iv) system development life cycle activities. security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle.

Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security control requirements. TBS requirement for assessing security periodically does not require additional assessment activities in addition to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.

For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representativesTo satisfy the TBS periodic assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed.

Subsequent to initial authorizations and in accordance with TBS policies, organizations assess security controls periodically during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.

Related controls: CA-5, CA-6, CA-7, RA-5, SA-11, SA-12, SI-4.