10.8.1CA-1 – Security Assessment and Authorization Policies & Procedures
Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Control: The organization:
Develops, documents, and disseminates to all personnel.
A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
Reviews and updates the current:
Security assessment and authorization policy every 5 years and;
Security assessment and authorization procedures atleastannually.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
Develops a security assessment plan that describes the scope of the assessment including (1) security controls and control enhancements under assessment; (2) assessment procedures to be used to determine security control effectiveness; and (3) assessment environment, assessment team, and assessment roles and responsibilities
Security Assessment Plan is provided by DSS.
Assesses the security controls in the information system and its environment of operation at least annually, or as stipulated in the organization's continuous monitoring program to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements
Click here to enter text.
Produces a security assessment report that documents the results of the assessment
Click here to enter text.
Provides the results of the security control assessment to the SCA and the DAO/DAO Rep and the ISSM/ISSO.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs assessors or assessment teams with AO determined level of impartiality based on the risk assessment for the system to conduct security control assessments. Impartiality implies that the assessors are free from any perceived or actual conflicts of interest with respect to the developmental, operational, and/or management chain of command associated with the information system or to the determination of security control effectiveness. Security assessment services can be obtained from other elements within the organization or can be contracted to a public or private sector entity outside of the organization.
DSS is considered the Inpendent Assessor within NISP Implemenation of the RMF process.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.8.3CA-3 – Information System Connections (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Organizations shall identify any connections of an information system to an external information system in the SSP and ensure connections from the information system to external information systems are authorized through the use of an ISA. An external information system is an information system or component that is outside the authorization boundary as defined in the SSP. (Reference AC-20.) If the interconnecting systems have the same AO, an ISA is not required.
Organizations typically have no direct control over the security controls or security control effectiveness for these external systems or components. Organizations shall monitor all information system connections on an ongoing basis to verify enforcement of the security requirements. If the interconnecting systems have the same AO, an ISA is not required, although one may still be beneficial.
When a need arises to connect two different IS operating at different security classification levels, the connection is referred to as a cross domain connection. Any cross domain connection must be identified first to the Service or Agency Cross Domain Support Element (CDSE)
The direct connection of any information system to an external network is prohibited. No direct connection means that an information system cannot connect to an external network without the use of an approved boundary protection device (e.g., firewall or cross domain device) that mediates the communication between the system and the network.
The organization:
Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements
Click here to enter text.
Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated
Click here to enter text.
Reviews and updates Interconnection Security Agreements annually
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.8.3.1CA-3(1) – Information System Connections: Unclassified National Security System Connections (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization prohibits the direct connection of a system processing to an external network without DAO approval and the use of approved boundary protection devices.
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.8.3.2CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified Overlay) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization prohibits the direct connection of a classified, national security system processing SAR to an external network without DAO approval and the use of approved boundary protection devices.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.8.3.3CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW BASELINE
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
POA&Ms are the authoritative management tool used by the organization (including the AO, SCA) to detail specific program and system level security weaknesses, remediation needs, the resources required to implement the plan, and scheduled completion dates.
The POA&M is initiated based on findings and recommendations from the SAR, or as a minimum, providing that information via the SAR to the ISO. The ISO shall describe the planned tasks for correcting weaknesses and addressing any residual findings. The POA&M shall identify:
Tasks to be accomplished with a recommendation for completion either before or after information system implementation.
Resources required to accomplish the tasks.
Any milestones in meeting the tasks, to include percentage completed.
Scheduled completion dates for the milestones.
Status of tasks (completed, ongoing, delayed, planned)
The POA&M is used by the AO and SCA to monitor the progress in mitigating any findings. POA&M entries are required even when weaknesses or deficiencies found during the assessment are remediated prior to the submission of the authorization package to the AO. Once an authorization is issued with a POA&M, adjusting the approved milestones and scheduled completion dates is not allowed without coordination with AO. (NOTE: For Army, those weaknesses found during the assessment, but remediated on site, will be included in the SAR, but not the POA&M).
The organization:
Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system
Click here to enter text.
Updates existing plan of action and milestones at least quarterly based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The ISSM is responsible for ensuring the submission of the Security Authorization Package to the SCA, who, in turn, submits the security authorization package to the AO. When security controls are provided to an organization by an external provider (e.g., through contracts, interagency agreements, lines of business arrangements, licensing agreements, and/or supply chain arrangements), the organization shall ensure the information needed by the AO to make a risk-based decision is made available by the control provider. The security authorization package will contain, at a minimum, the SSP (which includes the ConMon Strategy), the RAR, and POA&M. In addition, the Security Assessment Plan may be required by the AO. The complexity of the RAR and ConMon Strategy vary by system and environment. Guidance on the level of detail required is provided by the AO/SCA.
For additional information on the requirements for reciprocity, see the DAA PM control description.
The organization:
Assigns a senior-level executive or manager as the authorizing official for the information system.
This control falls under DSS cognizance
Ensures that the authorizing official authorizes the information system for processing before commencing operations
This control falls under DSS cognizance
Updates the security package if the organization and/or system is adequately covered by a continuous monitoring program the Security Authorization may be continuously updated: If not; at least every three (3) years, when significant security breaches occur, whenever there is a significant change to the system, or to the environment in which the system operates
Establishment of monitoring frequency for each security control and frequency of assessments supporting such monitoring
Click here to enter text.
Ongoing security control assessments in accordance with the organizationally-defined security control monitoring frequency
Click here to enter text.
Ongoing security status monitoring of organization-defined metrics in accordance with the organizationally-defined security control monitoring frequency
Click here to enter text.
Correlation and analysis of security-related information generated by assessments and monitoring
Click here to enter text.
Response actions to address results of the analysis of security-related information
Reporting the security state of the organization and the information system to appropriate organizational officials at least annually, or whenever there is a significant change to the system or the environment in which the system operates
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs assessors or assessment teams to perform an objective assessment to monitor the security controls in the information system on an ongoing basis.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.8.7CA-9 – Internal System Connections – NEW BASELINE