CA-2(2)—Security Assessments

PBMM (P3)

Secret (P3)

Management

>Control Description

SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS The organization includes as part of security control assessments, ⚙organization-defined frequency, ☑announced; unannounced, [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; ⚙organization-defined other forms of security assessment].

>Supplemental Guidance

Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk management strategy.

Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2.

Ask AI

Configure your API key to use AI features.