home || catalog: SP800-53rev3 / class: Management / family: (CA) Security Assessment and Authorization ||
search controls:
search nistpubs:

AC
AT
AU
CA

CA-01 *
CA-02
CA-03
CA-04
CA-05
CA-06
CA-07

CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CA-01: Security Assessment and Authorization Policies and Procedures  

base control objective:
The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:
a. Formal, documented security assessment and authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls.

supplemental objective information:
This control is intended to produce the policy and procedures that are required for the effective implementation of the security controls and control enhancements in the security assessment and authorization family. The policies and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The security assessment/authorization policies can be included as part of the general information security policy for the organization. Security assessment/authorization procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the security assessment and authorization policy.

enhancements to the base objective:

(1) None.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

PM-09   Risk Management Strategy

documents referenced in SP800-53rev3 for CA-01:

Document Date Status Title
FIPS 200 March, 2006 current   Minimum Security Requirements for Federal Information and Information Systems
NIST SP800-100 October, 2006 current   Information Security Handbook: A Guide for Managers
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-14 September, 1996 current   Generally Accepted Principles and Practices for Securing Information Technology Systems
NIST SP800-23 August, 2000 current   Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
NIST SP800-37 Feb, 2010 current   Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP800-53a July, 2010 current   Guide for Assessing the Security Controls in Federal Information Systems and Organizations
NIST SP800-55 July, 2008 current   Security Metrics Guide for Information Technology Systems
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-79 June, 2008 current   Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations

Search SP800-53rev3 catalog: