CA-02 Security Assessments

Security Assessment and Authorization

Low Moderate High Privacy

Description

The organization conducts an assessment of the security controls in the information system [Assignment: organization-defined frequency, at least annually] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Supplemental Guidance

This control is intended to support the FISMA requirement that the management, operational, and technical controls in each information system contained in the inventory of major information systems be assessed with a frequency depending on risk, but no less than annually. The FISMA requirement for (at least) annual security control assessments should not be interpreted by organizations as adding additional assessment requirements to those requirements already in place in the security certification and accreditation process. To satisfy the annual FISMA assessment requirement, organizations can draw upon the security control assessment results from any of the following sources, including but not limited to: (i) security certifications conducted as part of an information system accreditation or reaccreditation process (see CA-04); (ii) continuous monitoring activities (see CA-07); or (iii) testing and evaluation of the information system as part of the ongoing system development life cycle process (provided that the testing and evaluation results are current and relevant to the determination of security control effectiveness). Existing security assessment results are reused to the extent that they are still valid and are supplemented with additional assessments as needed. Reuse of assessment information is critical in achieving a broad-based, cost-effective, and fully integrated security program capable of producing the needed evidence to determine the actual security status of the information system. OMB does not require an annual assessment of all security controls employed in an organizational information system. In accordance with OMB policy, organizations must annually assess a subset of the security controls based on: (i) the FIPS 199 security categorization of the information system; (ii) the specific security controls selected and employed by the organization to protect the information system; and (iii) the level of assurance (or confidence) that the organization must have in determining the effectiveness of the security controls in the information system. It is expected that the organization will assess all of the security controls in the information system during the three-year accreditation cycle. The organization can use the current year’s assessment results obtained during security certification to meet the annual FISMA assessment requirement (see CA- 4). NIST Special Publication 800-53A provides guidance on security control assessments to include reuse of existing assessment results. Related security controls: CA-04, CA-06, CA-07, SA- 11.

Changes from Rev 4

Title changed from 'Security Assessments' Control text is more generic and drops security emphasis Discussion includes need to ensure control assessors possess required skills and technical expertise and results reviewed and approved by the authorizing official or designee Addresses withdrawn App J control AR-04

Enhancements

(0) None.

MITRE ATT&CK Techniques (5)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 4 Lateral Movement 1

Initial Access

T1190 Exploit Public-Facing Application T1195 Supply Chain Compromise T1195.001 Compromise Software Dependencies and Development Tools T1195.002 Compromise Software Supply Chain

Lateral Movement

T1210 Exploitation of Remote Services

Compliance Mappings

ISO 27001:2022

8.19.2A.5.35A.5.36A.8.29A.8.34

ISO 27002:2022

5.355.368.298.34

COBIT 2019

APO11APO13BAI07MEA02MEA03MEA04

CIS Controls v8

CIS 15.5CIS 18.4

NIST CSF 2.0

GV.OV-02GV.OV-03ID.IM-01

SOC 2 TSC

CC1.1-POF3CC3.1CC4.1CC5.2CC6.1-POF2

PCI DSS v4.0.1

12.412.5

CSA CCM v4

AA-01AA-02AA-03AA-04AA-05AA-06CEK-09GRC-07STA-05STA-06STA-11STA-12STA-13

CSA AICM v1

A&A-01A&A-02A&A-03A&A-04A&A-05A&A-06CEK-09GRC-07GRC-12STA-05STA-06STA-11STA-12STA-13

ISO 42001:2023

A.5.2A.5.3A.6.2.4

NIS2 Directive

Art. 21(2)(f)Art. 24Art. 32

PRA Operational Resilience

SS1/21-7.1SS2/21-6.2

MAS TRM

APRA CPS 234

Para 22-23Para 24Para 27-28

BSI IT-Grundschutz

ORP.5

ANSSI

Hygiene.3Hygiene.31Hygiene.41RGS.4.1SecNumCloud.19.2

FINMA Circular 2023/1

IV.D(75)IV.D(76)IV.D(77)

OSFI B-13

B-13.1.3B-13.3.5

EU GDPR

Art.32(1)(d)Art.35(1)Art.35(7)

EU DORA

Art.24(1)Art.24(2)Art.25(1)Art.6(4)

BIO2

5.355.368.298.34

RBI CSF

Annex1.18ITGRCA.26ITGRCA.30

FISC Security Guidelines

FISC.O7

LGPD + BCB 4893

BCB.Art.10BCB.Art.18BCB.Art.19LGPD.Art.37-38LGPD.Art.50

HKMA TM-E-1

TME1.2.6TME1.3.3TME1.7.4

MLPS 2.0

8.1.7.28.1.9.58.1.9.6

DNB Good Practice

DNB.10.4DNB.16.1DNB.16.2DNB.16.3DNB.16.4DNB.16.5DNB.22.1

EU CRA

CRA.I.2aCRA.II.3

SAMA CSF

1.31.92.24.2

NCA ECC

1-71-8

CBB TM

TM-16

Qatar NIA

GVOSRMSD

CBUAE

CR-10CR-14

CBE CSF

GOV-3OVM-3

SA JS2

JS2-6.2JS2-7.7JS2-9

CBN CSF

Part2.3Part5.1Part6.2Part7.2

BoG CISD

CISD-COMPCISD-ISMSCISD-IV

POPIA

s19

BoM CTRM

1.53.14.35.4

IOSCO Cyber Resilience

LE-2SA-3TEST-1TEST-3TEST-4

BCBS 239

Principle 12Principle 7Principle 8

CPMI-IOSCO PFMI

CG.LECG.TEPFMI.P17PFMI.P3

FFIEC IS

Appendix AII.AII.A.2II.BII.C.3II.C.4II.DIV.AIV.A.1IV.A.2IV.A.3IV.A.4

NYDFS 500

500.2500.9

HIPAA Security Rule

§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(7)(ii)(D)§164.308(a)(8)

ECB CROE

CROE.2.2.1CROE.2.6.1CROE.2.8.1

EBA ICT Guidelines

3.3.63.4.6

SEBI CSCRF

AUDITCCICERTIFDE.VAGV.OVRC.IMRS.IMVAPT

BOT Cyber Resilience

Ch1.3Ch3.2Ch6.1

CMMC 2.0

CARA

10 CFR 73.54

RG5.71-C-PLRG5.71-C-CA

TSA Pipeline SD

SD-1 Sec 3SD-2 Sec G

API 1164

Sec 15

IAEA NSS 17-T

Sec 11

CBEST

CBEST.10CBEST.7

TIBER-EU

TIBER.CLOSETIBER.REM

PCI HSM

Common Criteria

CC Part 3 — SARCEM

ISAE 3402

Clause 10Clause 2Clause 3Clause 5Clause 6

Solvency II

Art.45Art.46Art.47DR.266EIOPA-Cloud-GL7EIOPA-ICT-4.2

Lloyd's Minimum Standards

MS10.2

NAIC Insurance Data Security

44-monitoring4A4E7

PRA SS1/23

P2.2P4.1P4.2

FCA SYSC 13

SYSC 13.5.3SYSC 13.G.3

HITRUST CSF v11

00.b04.b06.c12.c

FDA 21 CFR Part 11

§11.10(a)§11.300(e)

FDA Cybersecurity Guidance

524B-4SPDF-2

ISO 27799

18.318.4

NHS DSPT

NDG-5.1NDG-7.3

CCSS v9.0

1.01.62.01.12.01.22.01.32.02.32.03.12.03.2

MiCA

Art.34(5)Art.43(1)Art.94(1)Art.111(1)

Basel SCO60

SCO60.5SCO60.14SCO60.21SCO60.41SCO60.51SCO60.52SCO60.64SCO60.65SCO60.74SCO60.85

BSSC Standards

TIS-02TIS-06GSP-10GSP-15

SEC Custody (Digital Assets)

SEC-CD-01SEC-CD-10SEC-CD-13SEC-CD-14SEC-CD-17

ISO 17799 (legacy)

6.1.815.2.115.2.2

COBIT 4.1 (legacy)

DS5.5