Level 5 CMMC - CMMC Practices

CA.2.158  

Reference: CMMC 1.02

Family: CA

Level Introduced: 2

Practice:
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

CMMC Clarification:
As organizations implement security controls, they should avoid a “set it and forget it” mentality. The security landscape is constantly changing. Reassess existing controls at periodic intervals in order to validate their usefulness in organizational systems. This will let you determine if the control is still meeting the needs of the organization. Set the assessment schedule according to organizational needs. Consider regulatory obligations and internal policies when assessing the controls.

Typical outputs of the practice include:
• documented assessment results;
• proposed new controls, or updates to existing controls;
• remediation plans; and
• new identified risks.

Example
You are in charge of IT operations in your company. You ensure that security controls are achieving their objectives. After you implement the controls, you monitor their performance. You should perform this review as often as necessary to meet:
• your organization’s risk planning needs; and
• any regulations or policies you must follow.
When you assess the controls, document what you find. When you find your controls are not
meeting your requirements, you should act and make changes. You can:
• propose updated or new controls;
• develop a plan to improve the control; and
• document new risks that you find.
You should also document these actions.

3.12.1

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Discussion:
Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans.

Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.

Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle.

[SP 800-53] provides guidance on security and privacy controls for systems and organizations. [SP 800-53A] provides guidance on developing security assessment plans and conducting assessments.

Source: NIST Special Publication 800-171 Rev. 2

CA-2

SECURITY ASSESSMENTS

Description:
The organization:
    a. Develops a security assessment plan that describes the scope of the assessment including:
        1. Security controls and control enhancements under assessment;
        2. Assessment procedures to be used to determine security control effectiveness; and
        3. Assessment environment, assessment team, and assessment roles and responsibilities;
    b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
    c. Produces a security assessment report that documents the results of the assessment; and
    d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

Supplemental Guidance:
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02