« CA – Security Assessment and Authorization

CA-1 Security Assessment and Authorization Policies & Procedures^◊

a. The ISSM is the individual responsible for the development, implementation, assessment, and monitoring of common controls inherited by National Security Systems (NSS). The ISSM maintains these security controls under a larger umbrella by establishing minus -1 policy controls for the Common Control Provider (CCP) plan; documenting Common and Hybrid procedures disseminated to all personnel managing system development, operations, and maintenance of NSS: CCI-002061, CCI-002062:

1. The minus -1 policy control policy¹ addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance CCI-000239, CCI-000240; and

2. The procedures to facilitate the implementation of this Security Assessment and Authorization policy and associated Security Assessment and Authorization controls are detailed in the Common Control Provider plan CCP-CA-PRO. CCI-000242, CCI-000243; and

b. The ISSM as the Common Control Provider reviews and updates the current:

1. Minus -1 policy controls annually in accordance with continuous monitoring CA0100; CCI-000238, CCI-000241; and

2. Security assessment and authorization procedures annually in accordance with continuous monitoring CA0100; CCI-000244, CCI-001578.

1. Common Control Provider (CCP) minus -1 policy controls are written to provide policy and procedures for each control family. This single policy may be cited for compliance with the -1 policy controls for each family. ↩