CCI-000256

The organization includes, as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; and organization-defined other forms of security assessment on an organization-defined frequency.

Implementation Guidance

The organization being assessed/inspected must document how they will annually conduct tests and exercises of the implemented security controls in their security assessment plan. The tests and exercises may consist of activities such as in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; or other forms of security assessment defined in CA-2 (2), CCI 1582. Vulnerability scans are not the same as penetration testing. DoD has defined the frequency as annually.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the test and exercise plan documented in the security assessment plan as well as the results of one or more of the latest security assessments to ensure the organization being inspected/assessed is conducting the assessments required in their security assessment plan annually. DoD has defined the frequency as annually.

Compelling Evidence

1.) Signed and dated Security Assessment Plan/Policy that sets out the security control assessments 2.) Audit logs in reference to the performance of security control assessments annually

The controls below (if any) were marked by NIST as being related to CCI-000256.