CCI-000256

Include as part of the control assessments, announced or unannounced, on an organization-defined frequency, in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; and/or organization-defined other forms of assessment.

Implementation Guidance

Determine if [CA-02(02)_ODP[01]; frequency at which to include specialized assessments as part of the control assessment is defined] [CA-02(02)_ODP[02]; one of the following PARAMETER VALUES is selected: {announced; unannounced}] [CA-02(02)_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [CA-02(02)_ODP[04]; other forms of assessment are defined (if selected)]}] are included as part of control assessments.

Validation Procedures

Examine: [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing control assessments; control assessment plan; control assessment report; control assessment evidence; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with control assessment responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Mechanisms supporting control assessment].

The controls below (if any) were marked by NIST as being related to CCI-000256.