Risk Management Framework (RMF)

Logo

Policy and Procedures following the Risk Management Framework (RMF) for obtaining system authorizations.

View the Project on GitHub chaffin/RMF

« CA Security Assessment and Authorization

CA-2 Security Assessments

The [Facility] developed:

a. Security assessments, to include self-assessments, which are documented within each security control family for the information system. The scope of the assessment covers the Control Correlation Identifiers (CCIs) which includes: CCI-000245

  1. Security controls and control enhancements under assessment comprising common controls from the Defense Counterintelligence and Security Agency Process Manual (DAAPM) overlays for Single User Standalone (SUSA), Multi User Standalone (MUSA), Isolated Local Area Network (LAN), (ISOL)/Peer-to-Peer (P2P) to include controls from the DoD Joint SAP Implementation Guide (JSIG); though not inclusive contains controls from the CLASSIFIED, INTEL, and Personal Identifiable Information (PII) overlays; CCI-000246

  2. Assessment procedures used to determine security control effectiveness are comprised of policies and procedures, scanning tools where applicable, and continuous monitoring methods addressed in CA-7 //Continuous Monitoring// to ensure the security controls are implemented as intended to meet the security requirements for the system; and CCI-000247

  3. Assessment environment is the authorization boundary for the system and is describe in PL-2(a.2) via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components. Assessment team, and assessment roles and responsibilities for the information system are denoted within each assessed control; CCI-000248

b. Security controls in the information system and its environment of operation are assessed at least annually, or as stipulated in the continuous monitoring program to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CCI-000251, CCI-000252

c. A security assessment report that documents results of the assessment are incorporated within the Table of Contents of the security control family set of procedures and; CCI-000253

d. The results of the security control assessment are provided to the SCA and the AO Representative. CCI-000254, CCI-002071