home || catalog: SP800-53rev3 / class: Management / family: (CA) Security Assessment and Authorization ||
search controls:
search nistpubs:


CA-02 *


  CA-02: Security Assessments  

base control objective:
The organization:
a. Assesses the security controls in the information system [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; and
b. Produces a security assessment report that documents the results of the assessment.

supplemental objective information:
The organization assesses the security controls in an information system as part of:
(i) security authorization or reauthorization;
(ii) meeting the FISMA requirement for annual assessments;
(iii) continuous monitoring; and (iv) testing/evaluation of the information system as part of the system development life cycle process. The assessment report documents the assessment results in sufficient detail as deemed necessary by the organization, to determine the accuracy and completeness of the report. The FISMA requirement for (at least) annual security control assessments should not be interpreted by organizations as adding additional assessment requirements to those requirements already in place in the security authorization process. To satisfy the FISMA annual assessment requirement, organizations can draw upon the security control assessment results from any of the following sources, including but not limited to:
(i) security assessments conducted as part of an information system authorization or reauthorization process;
(ii) continuous monitoring (see CA-7); or
(iii) testing and evaluation of the information system as part of the ongoing system development life cycle process (provided that the testing and evaluation results are current and relevant to the determination of security control effectiveness). Existing security assessment results are reused to the extent that they are still valid and are supplemented with additional assessments as needed. Subsequent to the initial authorization of the information system and in accordance with OMB policy, the organization assesses a subset of the controls annually during continuous monitoring. The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment. Those security controls that are the most volatile or critical to protecting the information system are assessed at least annually. All other controls are assessed at least once during the information system’s three-year authorization cycle. The organization can use the current year’s assessment results from any of the above sources to meet the FISMA annual assessment requirement provided that the results are current, valid, and relevant to determining security control effectiveness. External audits (e.g., audits conducted by external entities such as regulatory agencies) are outside the scope of this control.

enhancements to the base objective:

(1) The organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system.
Enhancement Supplemental Guidance: An independent assessor or assessment team is any individual or group capable of conducting an impartial assessment of an organizational information system. Impartiality implies that the assessors are free from any perceived or actual conflicts of interest with respect to the developmental, operational, and/or management chain of command associated with the information system or to the determination of security control effectiveness. Independent security assessment services can be obtained from other elements within the organization or can be contracted to a public or private sector entity outside of the organization. Contracted assessment services are considered independent if the information system owner is not directly involved in the contracting process or cannot unduly influence the impartiality of the assessor or assessment team conducting the assessment of the security controls in the information system. The authorizing official determines the required level of assessor independence based on the security categorization of the information system and/or the ultimate risk to organizational operations and assets, and to individuals. The authorizing official determines if the level of assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision. In special situations, for example when the organization that owns the information system is small or the organizational structure requires that the assessment be accomplished by individuals that are in the developmental, operational, and/or management chain of the system owner or authorizing official, independence in the assessment process can be achieved by ensuring the assessment results are carefully reviewed and analyzed by an independent team of experts to validate the completeness, accuracy, integrity, and reliability of the results.

(2) The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection: in-depth monitoring; malicious user testing; penetration testing; red team exercises; [Assignment: organization-defined other forms of security testing]].
Enhancement Supplemental Guidance: Penetration testing exercises both physical and technical security controls. A standard method for penetration testing consists of:
(i) pre-test analysis based on full knowledge of the target system;
(ii) pre-test identification of potential vulnerabilities based on pre-test analysis; and
(iii) testing designed to determine exploitability of identified vulnerabilities.
Detailed rules of engagement are agreed upon by all parties before the commencement of any penetration testing scenario. These rules of engagement are correlated with the tools, techniques, and procedures that are anticipated to be employed by threat-sources in carrying out attacks. An organizational assessment of risk guides the decision on the level of independence required for penetration agents or penetration teams conducting penetration testing. Red team exercises are conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization. While penetration testing may be laboratory-based testing, red team exercises are intended to be more comprehensive in nature and reflect real-world conditions. Information system monitoring, malicious user testing, penetration testing, red-team exercises, and other forms of security testing (e.g., independent verification and validation) are conducted to improve the readiness of the organization by exercising organizational capabilities and indicating current performance levels as a means of focusing organizational actions to improve the security state of the system and organization.
Testing is conducted in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Testing methods are approved by authorizing officials in coordination with the organization’s Risk Executive Function. Vulnerabilities uncovered during red team exercises are incorporated into the vulnerability remediation process.

(3) The organization develops and employs:
(a) A security assessment plan that describes the applicable security controls and control enhancements for the information system under assessment, the assessment environment, the scope of the assessment, the assessment team, and the assessment roles and responsibilities; and
(b) An assessment procedures document containing a detailed description of the security controls and control enhancements implemented, and how the implementation is to be verified during the assessment.

(4) The organization provides the results of the security assessment, in writing, to the authorizing official or the authorizing official designated representative.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1)     HIGH: base (1) (2)  

related (regimented) controls:

CA-06   Security Authorization
CA-07   Continuous Monitoring
PM-09   Risk Management Strategy
SA-11   Developer Security Testing

documents referenced in SP800-53rev3 for CA-02:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-17 February, 1998 current   Modes of Operation Validation System (MOVS): Requirements and Procedures
NIST SP800-20 April, 2000 current   Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
NIST SP800-22rev1a April, 2010 current   A Statistical Test Suite for Random and Pseudo-random Number Generators for Cryptographic Applications
NIST SP800-23 August, 2000 current   Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
NIST SP800-35 October, 2003 current   Guide to Information Technology Security Services
NIST SP800-36 October, 2003 current   Guide to Selecting Information Technology Security Products
NIST SP800-37 Feb, 2010 current   Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP800-53 August, 2009 current   Recommended Security Controls for Federal Information Systems
NIST SP800-53a July, 2010 current   Guide for Assessing the Security Controls in Federal Information Systems and Organizations
NIST SP800-55 July, 2008 current   Security Metrics Guide for Information Technology Systems
NIST SP800-76 September, 2006 DRAFT   Biometric Data Specification for Personal Identity Verification
NIST SP800-79 June, 2008 current   Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations

Search SP800-53rev3 catalog: