ARTIFACTS

CA: SECURITY ASSESSMENT & AUTHORIZATION

HOW TO USE THIS PAGE

What's On This Page

Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.

Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.

The Source of the Artifacts

The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.

THE ESSENTIALS

Essential Artifacts for Risk-Based Cybersecurity Programs

This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Security Asssessment & Authorization (CA); and documents that are widely used in the assessment of controls and control enhancements in the Security Asssessment & Authorization (CA) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.

CORE ARTIFACTS
WIDELY USED ARTIFACTS FOR SECURITY ASSESSMENT & AUTHORIZATION (CA)
SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (AU)
Security Asssessment & Authorization policy
Information system design documentation
Information system configuration settings and associated documentation
Information system audit records
Security Authorization Package Documents: Security Plan Security Assessment Plan of Action and Milestones (POA&M)
ESSENTIALS
ACCESS CONTROL POLICY & PROCEDURES (AC)
Asset Inventory
AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU)
Configuration Management Plan
CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM)
Contingency Plan Plans related to a comprehensive Contingency Plan: Business Continuity Plans Disaster Recovery Plans Continuity of Operations Plans Crisis Communications Plans Critical Infrastructure Plans Cyber Incident Response Plans Insider Threat Implementation Plan Occupant Emergency Plans
CONTINGENCY PLANNING POLICY & PROCEDURES (CP)
Continuous Monitoring Strategy
Continuous Monitoring Plan
Enterprise Architecture (EA)
IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA)
INCIDENT RESPONSE POLICY & PROCEDURES (IR)
INFORMATION SECURITY PROGRAM PLAN (PM)
MEDIA PROTECTION POLICY & PROCEDURES (MP)
PERSONNEL SECURITY POLICY & PROCEDURES (PS)
PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE)
Privacy Impact Assessment
Privacy Program Plan
Risk Assessment
RISK ASSESSMENT POLICY & PROCEDURES (RA)
SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA)
SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT)
Security Configurations
SECURITY PLANNING POLICY & PROCEDURES (PL)
SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC)
SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI)
SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA)
System Interconnection Agreements
SYSTEM MAINTENANCE POLICY & PROCEDURES (MA)

POLICY & PROCEDURES

Policy & Procedures

Here you'll find a catalog of Security Asssessment & Authorization (CA) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.

POLICES & PROCEDURES	APPLICABLE CONTROL(S)
Access control policy	CA-3 CA-3 (1) CA-3 (2) CA-3 (3) CA-3 (4) CA-3 (5) CA-9 CA-9 (1)
Procedures addressing configuration management	CA-7
Procedures addressing continuous monitoring of information system security controls	CA-7 CA-7 (1) CA-7 (3)
Procedures addressing information system connections	"CA-3 CA-3 (1) CA-3 (2) CA-3 (3) CA-3 (4) CA-3 (5) CA-9 CA-9 (1)"
Procedures addressing penetration testing	CA-8 CA-8 (1) CA-8 (2)
Procedures addressing plan of action and milestones	CA-5 CA-5 (1)
Procedures addressing red team exercises	CA-8 (2)
Procedures addressing security assessment planning	CA-2 CA-2 (1) CA-2 (2) CA-2 (3)
Procedures addressing security assessments	CA-2 CA-2 (1) CA-2 (2) CA-2 (3)
Procedures addressing security authorization	CA-6
SECURITY ASSESSMENT & AUTHORIZATION policy	CA-2 CA-2 (1) CA-2 (2) CA-2 (3) CA-5 CA-5 (1) CA-6 CA-7 CA-7 (1) CA-7 (3) CA-8 CA-8 (1) CA-8 (2)
SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES	CA-1
System and communications protection policy	CA-3 CA-3 (1) CA-3 (2) CA-3 (3) CA-3 (4) CA-3 (5) CA-9 CA-9 (1)

ARTIFACTS — Security Asssessment & Authorization (CA) Evidence

Evidence, Records & Artifacts

ARTIFACT	APPLICABLE CONTROL(S)
Configuration management records	CA-7
Continuous monitoring strategy	CA-7 (3)
Information system interconnection agreements	CA-3 (5)
Information system Interconnection Security Agreements	CA-3 CA-3 (1) CA-3 (2) CA-3 (3) CA-3 (4)
Information system monitoring records	CA-7 CA-7 (1) CA-7 (3)
Penetration test report	CA-8 CA-8 (1) CA-8 (2)
Results of red team exercise	CA-8 (2)
Rules of engagement	CA-8 (2)
Security assessment evidence	CA-2 (2) CA-2 (3) CA-5 CA-8 CA-8 (1) CA-8 (2)
Security assessment plan	CA-2 CA-2 (2) CA-2 (3) CA-5 CA-8 CA-8 (1) CA-8 (2)
Security assessment requirements	CA-2 (3)
Security authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)	CA-2 (1) CA-6
Security impact analyses	CA-7 CA-7 (1) CA-7 (3)
Status reports	CA-7 CA-7 (1) CA-7 (3)

LISTS

Security Asssessment & Authorization Related Lists

These are the Security Asssessment & Authorization (CA) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.

LIST	APPLICABLE CONTROL(S)
List of components or classes of components authorized as internal system connections	CA-9 CA-9 (1)

Go to The List of Lists

LINKS TO SECURITY ASSESSMENT & AUTHORIZATION (CA) FAMILY CONTROLS

Control	Control Enhancements
CA-1 SECURITY ASSESSMENT & AUTHORIZATION \| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES
CA-2 SECURITY ASSESSMENT & AUTHORIZATION \| SECURITY ASSESSMENTS
	CA-2 (1) SECURITY ASSESSMENTS \| INDEPENDENT ASSESSORS
	CA-2 (2) SECURITY ASSESSMENTS \| SPECIALIZED ASSESSMENTS
	CA-2 (3) SECURITY ASSESSMENTS \| EXTERNAL ORGANIZATIONS
CA-3 SECURITY ASSESSMENT & AUTHORIZATION \| SYSTEM INTERCONNECTIONS
	CA-3 (1) SYSTEM INTERCONNECTIONS \| UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
	CA-3 (2) SYSTEM INTERCONNECTIONS \| CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
	CA-3 (3) SYSTEM INTERCONNECTIONS \| UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS
	CA-3 (4) SYSTEM INTERCONNECTIONS \| CONNECTIONS TO PUBLIC NETWORKS
	CA-3 (5) SYSTEM INTERCONNECTIONS \| RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS
CA-4 SECURITY ASSESSMENT & AUTHORIZATION \|
CA-5 SECURITY ASSESSMENT & AUTHORIZATION \| PLAN OF ACTION AND MILESTONES
	CA-5 (1) PLAN OF ACTION AND MILESTONES \| AUTOMATION SUPPORT FOR ACCURACY / CURRENCY
CA-6 SECURITY ASSESSMENT & AUTHORIZATION \|
CA-7 SECURITY ASSESSMENT & AUTHORIZATION \| CONTINUOUS MONITORING
	CA-7 (1) CONTINUOUS MONITORING \| INDEPENDENT ASSESSMENT
	CA-7 (2) CONTINUOUS MONITORING \| TYPES OF ASSESSMENTS
	CA-7 (3) CONTINUOUS MONITORING \| TREND ANALYSES
CA-8 SECURITY ASSESSMENT & AUTHORIZATION \| PENETRATION TESTING
	CA-8 (1) PENETRATION TESTING \| INDEPENDENT PENETRATION AGENT OR TEAM
	CA-8 (2) PENETRATION TESTING \| RED TEAM EXERCISES
CA-9 SECURITY ASSESSMENT & AUTHORIZATION \| INTERNAL SYSTEM CONNECTIONS
	CA-9 (1) INTERNAL SYSTEM CONNECTIONS \| SECURITY COMPLIANCE CHECKS

Control	Control Enhancements
CA-1 SECURITY ASSESSMENT & AUTHORIZATION \| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES
CA-2 SECURITY ASSESSMENT & AUTHORIZATION \| SECURITY ASSESSMENTS
	CA-2 (1) SECURITY ASSESSMENTS \| INDEPENDENT ASSESSORS
	CA-2 (2) SECURITY ASSESSMENTS \| SPECIALIZED ASSESSMENTS
	CA-2 (3) SECURITY ASSESSMENTS \| EXTERNAL ORGANIZATIONS
CA-3 SECURITY ASSESSMENT & AUTHORIZATION \| SYSTEM INTERCONNECTIONS
	CA-3 (1) SYSTEM INTERCONNECTIONS \| UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
	CA-3 (2) SYSTEM INTERCONNECTIONS \| CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
	CA-3 (3) SYSTEM INTERCONNECTIONS \| UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS
	CA-3 (4) SYSTEM INTERCONNECTIONS \| CONNECTIONS TO PUBLIC NETWORKS
	CA-3 (5) SYSTEM INTERCONNECTIONS \| RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS
CA-4 SECURITY ASSESSMENT & AUTHORIZATION \|
CA-5 SECURITY ASSESSMENT & AUTHORIZATION \| PLAN OF ACTION AND MILESTONES
	CA-5 (1) PLAN OF ACTION AND MILESTONES \| AUTOMATION SUPPORT FOR ACCURACY / CURRENCY
CA-6 SECURITY ASSESSMENT & AUTHORIZATION \|
CA-7 SECURITY ASSESSMENT & AUTHORIZATION \| CONTINUOUS MONITORING
	CA-7 (1) CONTINUOUS MONITORING \| INDEPENDENT ASSESSMENT
	CA-7 (2) CONTINUOUS MONITORING \| TYPES OF ASSESSMENTS
	CA-7 (3) CONTINUOUS MONITORING \| TREND ANALYSES
CA-8 SECURITY ASSESSMENT & AUTHORIZATION \| PENETRATION TESTING
	CA-8 (1) PENETRATION TESTING \| INDEPENDENT PENETRATION AGENT OR TEAM
	CA-8 (2) PENETRATION TESTING \| RED TEAM EXERCISES
CA-9 SECURITY ASSESSMENT & AUTHORIZATION \| INTERNAL SYSTEM CONNECTIONS
	CA-9 (1) INTERNAL SYSTEM CONNECTIONS \| SECURITY COMPLIANCE CHECKS