Navigate

CCI-000251

CCI-000251 Definition

The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

In accordance with DoD's published guidance, the organization being inspected/assessed will utilize the implementation guidance and validation procedures published on the Knowledge Service to evaluate the implementation status of the applicable controls. DoD has defined the frequency as annually for technical controls, annually for a portion of management and operational controls, such that all are reviewed in a 3 year period, except for those requiring more frequent review as defined in other site or overarching policy. (NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1). *Comment* The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact.

Validation Procedures

See CA-2 c "The organization conducting the inspection/assessment obtains and examines the security assessment report to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls.

Compelling Evidence

1.) Signed and dated Security Assessment Plan 2.) Authorization Policy 3.) Audit logs of assessments

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000251.

Control	Description
CA-2	The organization: CA-2a.: Develops a security assessment plan that describes the scope of the assessment including: CA-2a.1.: Security controls and control enhancements under assessment; CA-2a.2.: Assessment procedures to be used to determine security control effectiveness; and CA-2a.3.: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CA-2c.: Produces a security assessment report that documents the results of the assessment; and CA-2d.: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

Control

Description

CA-2

The organization:

CA-2a.: Develops a security assessment plan that describes the scope of the assessment including:
- CA-2a.1.: Security controls and control enhancements under assessment;
- CA-2a.2.: Assessment procedures to be used to determine security control effectiveness; and
- CA-2a.3.: Assessment environment, assessment team, and assessment roles and responsibilities;

CA-2b.: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

CA-2c.: Produces a security assessment report that documents the results of the assessment; and

CA-2d.: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].