SPARC

Assessment, Authorization, and Monitoring

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 78

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

CA-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}: 1. {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that: (a) Addresses purpo...

► View parameters

Param ID	Label	Constraint / Choices
ca-1_prm_1	organization-defined personnel or roles	Organization-defined
ca-01_odp.01	personnel or roles	personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;
ca-01_odp.02	personnel or roles	personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are def...
ca-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
ca-01_odp.04	official	an official to manage the assessment, authorization, and monitoring policy and procedures is defined;
ca-01_odp.05	frequency	the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;
ca-01_odp.06	events	events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are...
ca-01_odp.07	frequency	the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is d...
ca-01_odp.08	events	events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;

—

CA-02

Control Assessments 2 params

a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; b. Develop a control assessment plan that describes the scope of the assessment including: ...

► View parameters

Param ID	Label	Constraint / Choices
ca-02_odp.01	assessment frequency	the frequency at which to assess controls in the system and its environment of operation is defined;
ca-02_odp.02	individuals or roles	individuals or roles to whom control assessment results are to be provided are defined;

—

CA-02(01)

Independent Assessors

Employ independent assessors or assessment teams to conduct control assessments.

—

CA-02(02)

Specialized Assessments 4 params

Include as part of control assessments, {{ insert: param, ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{ insert: param, ca-02.02_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
ca-02.02_odp.01	specialized assessment frequency	frequency at which to include specialized assessments as part of the control assessment is defined;
ca-02.02_odp.02		Select one: announced; unannounced
ca-02.02_odp.03		Select one-or-more: in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; {{ insert: param, ca-02.02_odp.04 }}
ca-02.02_odp.04	other forms of assessment	other forms of assessment are defined (if selected);

—

CA-02(03)

Leveraging Results from External Organizations 3 params

Leverage the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
ca-02.03_odp.01	external organization(s)	external organization(s) from which the results of control assessments are leveraged are defined;
ca-02.03_odp.02	system	system on which a control assessment was performed by an external organization is defined;
ca-02.03_odp.03	requirements	requirements to be met by the control assessment performed by an external organization on the system are defined;

—

CA-03

Information Exchange 3 params

a. Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }}; b. Document, as part of each exchange agreement, the interface ch...

► View parameters

Param ID	Label	Constraint / Choices
ca-03_odp.01		Select one-or-more: interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; non-disclosure agreements; {{ insert: param, ca-03_odp.02 }}
ca-03_odp.02	type of agreement	the type of agreement used to approve and manage the exchange of information is defined (if selected);
ca-03_odp.03	frequency	the frequency at which to review and update agreements is defined;

—

CA-03(01)

Unclassified National Security System Connections

—

CA-03(02)

Classified National Security System Connections

—

CA-03(03)

Unclassified Non-national Security System Connections

—

CA-03(04)

Connections to Public Networks

—

CA-03(05)

Restrictions on External System Connections

—

CA-03(06)

Transfer Authorizations

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

—

CA-03(07)

Transitive Information Exchanges

(a) Identify transitive (downstream) information exchanges with other systems through the systems identified in [CA-3a](#ca-3_smt.a) ; and (b) Take measures to ensure that transitive (downstrea...

—

CA-04

Security Certification

—

CA-05

Plan of Action and Milestones 1 param

a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the ...

► View parameters

Param ID	Label	Constraint / Choices
ca-05_odp	frequency	the frequency at which to update an existing plan of action and milestones based on the findings from control assessm...

—

CA-05(01)

Automation Support for Accuracy and Currency 1 param

Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using {{ insert: param, ca-05.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ca-05.01_odp	automated mechanisms	automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action and milestones for...

—

CA-06

Authorization 1 param

a. Assign a senior official as the authorizing official for the system; b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational s...

► View parameters

Param ID	Label	Constraint / Choices
ca-06_odp	frequency	frequency at which to update the authorizations is defined;

—

CA-06(01)

Joint Authorization — Intra-organization

Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.

—

CA-06(02)

Joint Authorization — Inter-organization

Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting ...

—

CA-07

Continuous Monitoring 9 params

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing t...

► View parameters

Param ID	Label	Constraint / Choices
ca-7_prm_4	organization-defined personnel or roles	Organization-defined
ca-7_prm_5	organization-defined frequency	Organization-defined
ca-07_odp.01	system-level metrics	system-level metrics to be monitored are defined;
ca-07_odp.02	frequencies	frequencies at which to monitor control effectiveness are defined;
ca-07_odp.03	frequencies	frequencies at which to assess control effectiveness are defined;
ca-07_odp.04	personnel or roles	personnel or roles to whom the security status of the system is reported are defined;
ca-07_odp.05	frequency	frequency at which the security status of the system is reported is defined;
ca-07_odp.06	personnel or roles	personnel or roles to whom the privacy status of the system is reported are defined;
ca-07_odp.07	frequency	frequency at which the privacy status of the system is reported is defined;

—

CA-07(01)

Independent Assessment

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

—

CA-07(02)

Types of Assessments

—

CA-07(03)

Trend Analyses

Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be mo...

—

CA-07(04)

Risk Monitoring

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (a) Effectiveness monitoring; (b) Compliance monitoring; and (c) Change monitoring.

—

CA-07(05)

Consistency Analysis 3 params

Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: {{ insert: param, ca-7.5_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ca-7.5_prm_1	organization-defined actions	Organization-defined
ca-07.05_odp.01	actions	actions to validate that policies are established are defined;
ca-07.05_odp.02	actions	actions to validate that implemented controls are operating in a consistent manner are defined;

—

CA-07(06)

Automation Support for Monitoring 1 param

Ensure the accuracy, currency, and availability of monitoring results for the system using {{ insert: param, ca-07.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ca-07.06_odp	automated mechanisms	automated mechanisms used to ensure the accuracy, currency, and availability of monitoring results for the system are...

—

CA-08

Penetration Testing 2 params

Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ca-08_odp.01	frequency	frequency at which to conduct penetration testing on systems or system components is defined;
ca-08_odp.02	system(s) or system components	systems or system components on which penetration testing is to be conducted are defined;

—

CA-08(01)

Independent Penetration Testing Agent or Team

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

—

CA-08(02)

Red Team Exercises 1 param

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: {{ insert: param, ca-08.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ca-08.02_odp	red team exercises	red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;

—

CA-08(03)

Facility Penetration Testing 2 params

Employ a penetration testing process that includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical acces...

► View parameters

Param ID	Label	Constraint / Choices
ca-08.03_odp.01	frequency	frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physi...
ca-08.03_odp.02		Select one-or-more: announced; unannounced

—

CA-09

Internal System Connections 3 params

a. Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements...

► View parameters

Param ID	Label	Constraint / Choices
ca-09_odp.01	system components	system components or classes of components requiring internal connections to the system are defined;
ca-09_odp.02	conditions	conditions requiring termination of internal connections are defined;
ca-09_odp.03	frequency	frequency at which to review the continued need for each internal connection is defined;

—

CA-09(01)

Compliance Checks

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

—

└ ca-1a

Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:

—

└ ca-1a.1

{{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:

—

└ ca-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ ca-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ ca-1a.2

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, a...

—

└ ca-1b

Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and mo...

—

└ ca-1c

Review and update the current assessment, authorization, and monitoring:

—

└ ca-1c.1

Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and

—

└ ca-1c.2

Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}.

—

└ ca-2a

Select the appropriate assessor or assessment team for the type of assessment to be conducted;

—

└ ca-2b

Develop a control assessment plan that describes the scope of the assessment including:

—

└ ca-2b.1

Controls and control enhancements under assessment;

—

└ ca-2b.2

Assessment procedures to be used to determine control effectiveness; and

—

└ ca-2b.3

Assessment environment, assessment team, and assessment roles and responsibilities;

—

└ ca-2c

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assess...

—

└ ca-2d

Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls ...

—

└ ca-2e

Produce a control assessment report that document the results of the assessment; and

—

└ ca-2f

Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}.

—

└ ca-3.7.(a)

Identify transitive (downstream) information exchanges with other systems through the systems identified in [CA-3a](#ca-3_smt.a) ; and

—

└ ca-3.7.(b)

Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems ca...

—

└ ca-3a

Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};

—

└ ca-3b

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for ...

—

└ ca-3c

Review and update the agreements {{ insert: param, ca-03_odp.03 }}.

—

└ ca-5a

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or def...

—

└ ca-5b

Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or ...

—

└ ca-6a

Assign a senior official as the authorizing official for the system;

—

└ ca-6b

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

—

└ ca-6c

Ensure that the authorizing official for the system, before commencing operations:

—

└ ca-6c.1

Accepts the use of common controls inherited by the system; and

—

└ ca-6c.2

Authorizes the system to operate;

—

└ ca-6d

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

—

└ ca-6e

Update the authorizations {{ insert: param, ca-06_odp }}.

—

└ ca-7.4.(a)

Effectiveness monitoring;

—

└ ca-7.4.(b)

Compliance monitoring; and

—

└ ca-7.4.(c)

Change monitoring.

—

└ ca-7a

Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};

—

└ ca-7b

Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;

—

└ ca-7c

Ongoing control assessments in accordance with the continuous monitoring strategy;

—

└ ca-7d

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

—

└ ca-7e

Correlation and analysis of information generated by control assessments and monitoring;

—

└ ca-7f

Response actions to address results of the analysis of control assessment and monitoring information; and

—

└ ca-7g

Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}.

—

└ ca-9a

Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;

—

└ ca-9b

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communi...

—

└ ca-9c

Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and

—

└ ca-9d

Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection.

—