myctrl.tools
Compare

CA-6(2)Joint Authorization -- Inter-Organization

>Control Description

Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.

>Supplemental Guidance

Assigning multiple authorizing officials, at least one of whom comes from an external organization, to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It implements the concepts of separation of duties and dual authorization as applied to the system authorization process. Employing authorizing officials from external organizations to supplement the authorizing official from the organization that owns or hosts the system may be necessary when the external organizations have a vested interest or equities in the outcome of the authorization decision.

The inter-organization joint authorization process is relevant and appropriate for connected systems, shared systems or services, and systems with multiple information owners. The authorizing officials from the external organizations are key stakeholders of the system undergoing authorization.

>Related Controls

AC-6

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CA-6(2) (Joint Authorization -- Inter-Organization)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CA-6(2)?
  • How frequently is the CA-6(2) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CA-6(2)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CA-6(2) requirements.
  • What automated tools, systems, or technologies are deployed to implement CA-6(2)?
  • How is CA-6(2) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CA-6(2) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CA-6(2)?
  • What audit logs, records, reports, or monitoring data validate CA-6(2) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CA-6(2) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CA-6(2) compliance?

Ask AI

Configure your API key to use AI features.