CA

Security Assessment and Authorization

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations  |  Controls: 54

← Back to Catalog
Control ID Title / Statement Priority Baseline Impact
CA-1
Security Assessment and Authorization Policy and Procedures 3 params
The organization: a. Develops, documents, and disseminates to {{ insert: param, ca-1_prm_1 }}: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsi...
View parameters
Param ID Label Constraint / Choices
ca-1_prm_1 organization-defined personnel or roles Organization-defined
ca-1_prm_2 organization-defined frequency Organization-defined
ca-1_prm_3 organization-defined frequency Organization-defined
CA-2
Security Assessments 2 params
The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessmen...
View parameters
Param ID Label Constraint / Choices
ca-2_prm_1 organization-defined frequency Organization-defined
ca-2_prm_2 organization-defined individuals or roles Organization-defined
CA-2(1)
Independent Assessors 1 param
The organization employs assessors or assessment teams with {{ insert: param, ca-2.1_prm_1 }} to conduct security control assessments.
View parameters
Param ID Label Constraint / Choices
ca-2.1_prm_1 organization-defined level of independence Organization-defined
CA-2(2)
Specialized Assessments 4 params
The organization includes as part of security control assessments, {{ insert: param, ca-2.2_prm_1 }}, {{ insert: param, ca-2.2_prm_2 }}, {{ insert: param, ca-2.2_prm_3 }}.
View parameters
Param ID Label Constraint / Choices
ca-2.2_prm_1 organization-defined frequency Organization-defined
ca-2.2_prm_2 Select one: announced; unannounced
ca-2.2_prm_3 Select one-or-more: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; {{ insert: param, ca-2.2_prm_4 }}
ca-2.2_prm_4 organization-defined other forms of security assessment Organization-defined
CA-2(3)
External Organizations 3 params
The organization accepts the results of an assessment of {{ insert: param, ca-2.3_prm_1 }} performed by {{ insert: param, ca-2.3_prm_2 }} when the assessment meets {{ insert: param, ca-2.3_prm_3 }}.
View parameters
Param ID Label Constraint / Choices
ca-2.3_prm_1 organization-defined information system Organization-defined
ca-2.3_prm_2 organization-defined external organization Organization-defined
ca-2.3_prm_3 organization-defined requirements Organization-defined
CA-3
System Interconnections 1 param
The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnecti...
View parameters
Param ID Label Constraint / Choices
ca-3_prm_1 organization-defined frequency Organization-defined
CA-3(1)
Unclassified National Security System Connections 2 params
The organization prohibits the direct connection of an {{ insert: param, ca-3.1_prm_1 }} to an external network without the use of {{ insert: param, ca-3.1_prm_2 }}.
View parameters
Param ID Label Constraint / Choices
ca-3.1_prm_1 organization-defined unclassified, national security system Organization-defined
ca-3.1_prm_2 organization-defined boundary protection device Organization-defined
CA-3(2)
Classified National Security System Connections 1 param
The organization prohibits the direct connection of a classified, national security system to an external network without the use of {{ insert: param, ca-3.2_prm_1 }}.
View parameters
Param ID Label Constraint / Choices
ca-3.2_prm_1 organization-defined boundary protection device Organization-defined
CA-3(3)
Unclassified Non-national Security System Connections 2 params
The organization prohibits the direct connection of an {{ insert: param, ca-3.3_prm_1 }} to an external network without the use of {{ insert: param, ca-3.3_prm_2 }}.
View parameters
Param ID Label Constraint / Choices
ca-3.3_prm_1 organization-defined unclassified, non-national security system Organization-defined
ca-3.3_prm_2 Assignment; organization-defined boundary protection device Organization-defined
CA-3(4)
Connections to Public Networks 1 param
The organization prohibits the direct connection of an {{ insert: param, ca-3.4_prm_1 }} to a public network.
View parameters
Param ID Label Constraint / Choices
ca-3.4_prm_1 organization-defined information system Organization-defined
CA-3(5)
Restrictions On External System Connections 2 params
The organization employs {{ insert: param, ca-3.5_prm_1 }} policy for allowing {{ insert: param, ca-3.5_prm_2 }} to connect to external information systems.
View parameters
Param ID Label Constraint / Choices
ca-3.5_prm_1 Select one: allow-all, deny-by-exception; deny-all, permit-by-exception
ca-3.5_prm_2 organization-defined information systems Organization-defined
CA-4
Security Certification
CA-5
Plan of Action and Milestones 1 param
The organization: a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during...
View parameters
Param ID Label Constraint / Choices
ca-5_prm_1 organization-defined frequency Organization-defined
CA-5(1)
Automation Support for Accuracy / Currency
The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available.
CA-6
Security Authorization 1 param
The organization: a. Assigns a senior-level executive or manager as the authorizing official for the information system; b. Ensures that the authorizing official authorizes the information syst...
View parameters
Param ID Label Constraint / Choices
ca-6_prm_1 organization-defined frequency Organization-defined
CA-7
Continuous Monitoring 5 params
View parameters
Param ID Label Constraint / Choices
ca-7_prm_1 organization-defined metrics Organization-defined
ca-7_prm_2 organization-defined frequencies Organization-defined
ca-7_prm_3 organization-defined frequencies Organization-defined
ca-7_prm_4 organization-defined personnel or roles Organization-defined
ca-7_prm_5 organization-defined frequency Organization-defined
CA-7(1)
Independent Assessment 1 param
The organization employs assessors or assessment teams with {{ insert: param, ca-7.1_prm_1 }} to monitor the security controls in the information system on an ongoing basis.
View parameters
Param ID Label Constraint / Choices
ca-7.1_prm_1 organization-defined level of independence Organization-defined
CA-7(2)
Types of Assessments
CA-7(3)
Trend Analyses
The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous mo...
CA-8
Penetration Testing 2 params
The organization conducts penetration testing {{ insert: param, ca-8_prm_1 }} on {{ insert: param, ca-8_prm_2 }}.
View parameters
Param ID Label Constraint / Choices
ca-8_prm_1 organization-defined frequency Organization-defined
ca-8_prm_2 organization-defined information systems or system components Organization-defined
CA-8(1)
Independent Penetration Agent or Team
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
CA-8(2)
Red Team Exercises 2 params
The organization employs {{ insert: param, ca-8.2_prm_1 }} to simulate attempts by adversaries to compromise organizational information systems in accordance with {{ insert: param, ca-8.2_prm_2 }}.
View parameters
Param ID Label Constraint / Choices
ca-8.2_prm_1 organization-defined red team exercises Organization-defined
ca-8.2_prm_2 organization-defined rules of engagement Organization-defined
CA-9
Internal System Connections 1 param
The organization: a. Authorizes internal connections of {{ insert: param, ca-9_prm_1 }} to the information system; and b. Documents, for each internal connection, the interface characteristics,...
View parameters
Param ID Label Constraint / Choices
ca-9_prm_1 organization-defined information system components or classes of components Organization-defined
CA-9(1)
Security Compliance Checks
The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.
ca-1a Develops, documents, and disseminates to {{ insert: param, ca-1_prm_1 }}:
ca-1a.1 A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among or...
ca-1a.2 Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorizatio...
ca-1b Reviews and updates the current:
ca-1b.1 Security assessment and authorization policy {{ insert: param, ca-1_prm_2 }}; and
ca-1b.2 Security assessment and authorization procedures {{ insert: param, ca-1_prm_3 }}.
ca-2a Develops a security assessment plan that describes the scope of the assessment including:
ca-2a.1 Security controls and control enhancements under assessment;
ca-2a.2 Assessment procedures to be used to determine security control effectiveness; and
ca-2a.3 Assessment environment, assessment team, and assessment roles and responsibilities;
ca-2b Assesses the security controls in the information system and its environment of operation {{ insert: param, ca-2_prm_1 }} to determine the extent t...
ca-2c Produces a security assessment report that documents the results of the assessment; and
ca-2d Provides the results of the security control assessment to {{ insert: param, ca-2_prm_2 }}.
ca-3a Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
ca-3b Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
ca-3c Reviews and updates Interconnection Security Agreements {{ insert: param, ca-3_prm_1 }}.
ca-5a Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses o...
ca-5b Updates existing plan of action and milestones {{ insert: param, ca-5_prm_1 }} based on the findings from security controls assessments, security i...
ca-6a Assigns a senior-level executive or manager as the authorizing official for the information system;
ca-6b Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
ca-6c Updates the security authorization {{ insert: param, ca-6_prm_1 }}.
ca-7a Establishment of {{ insert: param, ca-7_prm_1 }} to be monitored;
ca-7b Establishment of {{ insert: param, ca-7_prm_2 }} for monitoring and {{ insert: param, ca-7_prm_3 }} for assessments supporting such monitoring;
ca-7c Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
ca-7d Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
ca-7e Correlation and analysis of security-related information generated by assessments and monitoring;
ca-7f Response actions to address results of the analysis of security-related information; and
ca-7g Reporting the security status of organization and the information system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}.
ca-9a Authorizes internal connections of {{ insert: param, ca-9_prm_1 }} to the information system; and
ca-9b Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.