Risk Management Framework (RMF)
Policy and Procedures following the Risk Management Framework (RMF) for obtaining system authorizations.
| Assessment Objective CA-1(a) | |
| Rule | The organization defines the personnel or roles to whom security assessment and authorization policy is to be disseminated. |
| Discussion | DoD has defined the personnel or roles as all personnel. DoD disseminates DoDI 8510.01 organization-wide via the DoD Issuances website. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the personnel or roles as all personnel. |
| Assessment Objective CA-1(a) | |
| Rule | The organization defines the personnel or roles to whom the security assessment and authorization procedures are to be disseminated. |
| Discussion | DoD has defined the personnel or roles as all personnel. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the personnel or roles as all personnel. |
| Assessment Objective CA-1(a)(1) | |
| Rule | The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
| Discussion | DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
| Check | DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
| Assessment Objective CA-1(a)(1) | |
| Rule | The organization disseminates to organization-defined personnel or roles a security assessment and authorization policy. |
| Discussion | DoD disseminates DoDI 8510.01 organization-wide via the DoD Issuances website. |
| Check | DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
| Assessment Objective CA-1(a)(2) | |
| Rule | The organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
| Discussion | The organization being inspected/assessed develops and documents, IAW DoDI 8510.01, procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
| Check | The organization conducting the inspection/assessment obtains and examines the procedures to ensure the organization being inspected/assessedd evelops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls IAW DoDI 8510.01 |
| Assessment Objective CA-1(a)(2) | |
| Rule | The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
| Discussion | The organization being inspected/assessed will require all personnel to register at the DTIC website to receive update notifications to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. DoD has defined the personnel or roles as all personnel. |
| Check | The organization conducting the inspection/assessment obtains and examines the AUP (Acceptable Use Policy), appointment orders, or written policy requiring that all personnel register at the DTIC website to receive update notifications. DoD has defined the personnel or roles as all personnel. |
| Assessment Objective CA-1(b)(1) | |
| Rule | The organization defines the frequency to review and update the current security assessment and authorization policy. |
| Discussion | DoD has defined the frequency as every 5 years. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every 5 years. |
| Assessment Objective CA-1(b)(1) | |
| Rule | The organization reviews and updates the current security assessment and authorization policy in accordance with organization-defined frequency. |
| Discussion | DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
| Check | DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
| Assessment Objective CA-1(b)(2) | |
| Rule | The organization reviews and updates the current security assessment and authorization procedures in accordance with organization-defined frequency. |
| Discussion | The organization being inspected/assessed reviews and updates, IAW DoDI 8510.01, the current security assessment and authorization procedures annually. The organization must maintain an audit trail of review and update activity. DoD has defined the frequency as annually. |
| Check | The organization conducting the inspection/assessment obtains and examines the audit trail of review and update activity to ensure the organization being inspected/assessed reviews and updates, IAW DoDI 8510.01, the current security assessment and authorization procedures annually. |
| Assessment Objective CA-1(b)(2) | |
| Rule | The organization defines the frequency to review and update the current security assessment and authorization procedures. |
| Discussion | DoD has defined the frequency as annually. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. |
| Assessment Objective CA-2(a) | |
| Rule | The organization develops a security assessment plan for the information system and its environment of operation. IG&VP WG Note: For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact. |
| Discussion | The organization being inspected/assessed will document these security assessment plan requirements as part of the DoD approved Security Plan. Security plan templates are provided through eMASS and the Knowledge Service. Comment The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
| Check | The organization conducting the inspection/assessment obtains and examines the Security Plan to validate security assessment blocks are complete. |
| Assessment Objective CA-2(a)(1) | |
| Rule | The organization's security assessment plan describes the security controls and control enhancements under assessment. IG&VP WG Note For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact. |
| Discussion | The organization being inspected/assessed will ensure the Security Plan identifies the security controls and control enhancements under assessment. Comment The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
| Check | The organization conducting the inspection/assessment obtains the security assessment plan to verify the plan identifies the security controls and those control enhancements under assessment. |
| Assessment Objective CA-2(a)(2) | |
| Rule | The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness. IG&VP WG Note: For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact. |
| Discussion | The implementation guidance and validation procedures posted on the Knowledge Service constitutes assessment procedures for DoD. If organizations being inspected/assessed use assessment procedures other than those posted on the Knowledge Service, those procedures must be documented. Comment The items required within this CCI are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
| Check | DoD components are automatically compliant with this CCI if using the implementation guidance and validation procedures on the Knowledge Service. If the organization being inspected/assessed is using alternative implementation guidance and validation procedures, the organization conducting the inspection/assessment will obtain and examine those procedures. |
| Assessment Objective CA-2(a)(3) | |
| Rule | The organization's security assessment plan describes assessment environment. For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact. |
| Discussion | The organization being inspected/assessed will provide a description of the authorization boundary in their Security Plan. Authorization boundary can be described via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components. Authorization boundary as defined in CNSSI 4009. Comment The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
| Check | The organization conducting the inspection/assessment obtains and examines the organization's authorization boundary. Authorization boundary can be described via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components. |
| Assessment Objective CA-2(a)(3) | |
| Rule | The organization's security assessment plan describes assessment team, assessment roles and responsibilities. |
| Discussion | The organization being inspected/assessed lists their assessment team members and their associated assessment roles and responsibilities in the security assessment plan. |
| Check | The organization conducting the inspection/assessment obtains and examines the security assessment plan to ensure the organization being inspected/assessed lists their assessment team members and their associated assessment roles and responsibilities in the security assessment plan. |
| Assessment Objective CA-2(b) | |
| Rule | The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements. IG&VP WG Note: For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact. |
| Discussion | In accordance with DoD's published guidance, the organization being inspected/assessed will utilize the implementation guidance and validation procedures published on the Knowledge Service to evaluate the implementation status of the applicable controls. DoD has defined the frequency as annually for technical controls, annually for a portion of management and operational controls, such that all are reviewed in a 3 year period, except for those requiring more frequent review as defined in other site or overarching policy.(NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1). Comment The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
| Check | See CA-2 c "The organization conducting the inspection/assessment obtains and examines the security assessment report to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls. |
| Assessment Objective CA-2(b) | |
| Rule | The organization defines the frequency on which the security controls in the information system and its environment of operation are assessed. IG&VP WG Note: For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact. |
| Discussion | DoD has defined the frequency as annually for technical controls, annually for a portion of management and operation controls such that all are reviewed in a 3 year period except for those requiring more frequent review as defined in other site or overarching policy. NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1. Comment The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually for technical controls, annually for a portion of management and operation controls such that all are reviewed in a 3 year period except for those requiring more frequent review as defined in other site or overarching policy. NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1. |
| Assessment Objective CA-2(c) | |
| Rule | The organization produces a security assessment report that documents the results of the assessment against the information system and its environment of operation. IG&VP WG Note: For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact. |
| Discussion | The organization being inspected/assessed will develop a SAR that includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls using the template available on the Knowledge Service. Comment The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
| Check | The organization conducting the inspection/assessment obtains and examines the SAR to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls. |
| Assessment Objective CA-2(d) | |
| Rule | The organization provides the results of the security control assessment against information system and its environment of operation to organization-defined individuals or roles. IG&VP WG Note: For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact. |
| Discussion | The organization being inspected/assessed will provide the SAR to at a minimum, the ISSO and ISSM. DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. Comment The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
| Check | The organization conducting the inspection/assessment interviews at a minimum, the ISSO and ISSM to ensure the SAR has been received. DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. |
| Assessment Objective CA-2(d) | |
| Rule | The organization defines the individuals or roles to whom the results of the security control assessment is to be provided. |
| Discussion | DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. |
| Assessment Objective CA-2(1) | |
| Rule | The organization employs assessors or assessment teams with organization-defined level of independence to conduct security control assessments of organizational information systems. |
| Discussion | The organization being inspected/assessed will employ assessors and assessor teams with the level of independence defined in CA-2(1), CCI 2064 to conduct security control assessments of organizational information systems. |
| Check | The organization conducting the inspection/assessment obtains and examines the level of independence defined in CA-2(1), CCI 2064 to ensure that they, as the assessor, meet the required level of independence. |
| Assessment Objective CA-2(1) | |
| Rule | The organization defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems. |
| Discussion | The organization being inspected/assessed defines and documents the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems. DoD has determined the level of independence is not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented level of independence to ensure the organization being inspected/assessed defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems. DoD has determined the level of independence is not appropriate to define at the Enterprise level. |
| Assessment Objective CA-2(2) | |
| Rule | The organization includes as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring, vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing and organization-defined other forms of security assessment on an organization-defined frequency. |
| Discussion | The organization being assessed/inspected must document how they will annually conduct tests and exercises of the implemented security controls in their security assessment plan. The tests and exercises may consist of activities such as in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; or other forms of security assessment defined in CA-2 (2), CCI 1582. Vulnerability scans are not the same as penetration testing. DoD has defined the frequency as annually. |
| Check | The organization conducting the inspection/assessment obtains and examines the test and exercise plan documented in the security assessment plan as well as the results of one or more of the latest security assessments to ensure the organization being inspected/assessed is conducting the assessments required in their security assessment plan annually. DoD has defined the frequency as annually. |
| Assessment Objective CA-2(2) | |
| Rule | The organization defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. |
| Discussion | The organization being inspected/assessed defines and documents other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented other forms of security assessments to ensure the organization being inspected/assessed defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
| Assessment Objective CA-2(2) | |
| Rule | The organization selects announced or unannounced assessments for each form of security control assessments. |
| Discussion | The organization being inspected/assessed selects and documents whether announced or unannounced assessments are required for each form of security control assessment that was selected as part of CA-2 (2), CCI 2064. DoD has determined the announced or unannounced nature of the assessments is not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented list of security control assessment techniques defined in CA-2 (2), CCI 2064 and verifies that the security assessment plan defines whether the assessment is announced or unannounced. |
| Assessment Objective CA-2(2) | |
| Rule | The organization selects one or more security assessment techniques to be conducted. |
| Discussion | The organization being inspected/assessed selects and documents one or more security assessment techniques to be conducted. Techniques include in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing, as well as any other techniques identified in CA-2 (2), CCI 1582. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the selected list of assessment techniques that are to be conducted to ensure the selections have been documented. |
| Assessment Objective CA-2(2) | |
| Rule | The organization defines the frequency to conduct security control assessments. |
| Discussion | DoD has defined the frequency as at least annually. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at least annually. |
| Assessment Objective CA-3(a) | |
| Rule | The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements. |
| Discussion | The organization being inspected/assessed will develop and certify, by appropriate signatures(e.g. AO, network managers), Interconnection Security Agreements(e.g., MOU, MOA, SLA) authorizing the connection of its information systems to other information systems. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
| Check | The organization conducting the inspection/assessment obtains and examines documentation of the Interconnection Security Agreements to include appropriate signatures. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
| Assessment Objective CA-3(b) | |
| Rule | The organization documents, for each interconnection, the interface characteristics. |
| Discussion | The organization being inspected/assessed will document the interface characteristics for each interconnection. Use of external reporting databases for these characteristics when tied to the specific interconnection is acceptable(e.g., ports, protocols, and services). Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
| Check | The organization conducting the inspection/assessment obtains and examines interconnection security agreement documentation. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
| Assessment Objective CA-3(b) | |
| Rule | The organization documents, for each interconnection, the security requirements. |
| Discussion | The organization being inspected/assessed will, for each interconnection, identify and document any additional security controls to be implemented to protect the confidentiality, integrity, and availability of the connected systems and the data passing between them. Controls should be appropriate for the systems to be connected and the environment in which the interconnection will operate. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
| Check | The organization conducting the inspection/assessment obtains and examines interconnection security agreement documentation, specifically looking at any additional security controls identified for implementation. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
| Assessment Objective CA-3(b) | |
| Rule | The organization documents, for each interconnection, the nature of the information communicated. |
| Discussion | The organization being inspected/assessed will document in the interconnection security agreement the type of information being transferred/transmitted. Characteristics will include but are not limited to: classification, information type(e.g. PII, HIPAA, FOUO, financial data, etc.) Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
| Check | The organization conducting the inspection/assessment obtains and examines the interconnection security agreement documentation, specifically to identify the type of information being transferred/transmitted. Characteristics will include but are not limited to: classification, information type(e.g. PII, HIPAA, FOUO, financial data, etc.) Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
| Assessment Objective CA-3(c) | |
| Rule | The organization reviews and updates Interconnection Security Agreements on an organization-defined frequency. |
| Discussion | The organization being inspected/assessed reviews and updates Interconnection Security Agreements at least annually. The organization must maintain an audit trail of reviews and updates. DoD has defined the frequency as at least annually. |
| Check | The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates Interconnection Security Agreements at least annually. DoD has defined the frequency as at least annually. |
| Assessment Objective CA-3(c) | |
| Rule | The organization defines the frequency that reviews and updates to the Interconnection Security Agreements must be conducted. |
| Discussion | DoD has defined the frequency as at least annually. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at least annually. |
| Assessment Objective CA-3(1) | |
| Rule | The organization prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device. |
| Discussion | The organization being inspected/assessed documents in its policy and procedures addressing information system connections, the organization will prohibit DoD has defined the unclassified, national security systems as all unclassified NSS from having a direct connection to an external network without the use of a boundary protection device defined in CA-3(1), CCI 262. DoD has defined the unclassified, national security systems as all unclassified NSS. |
| Check | The organization conducting the inspection/assessment obtains and examines policy document prohibiting direct connection of all unclassified NSS to external networks without the use of a boundary protection device defined in CA-3(1), CCI 262. DoD has defined the unclassified, national security systems as all unclassified NSS. |
| Assessment Objective CA-3(1) | |
| Rule | The organization defines the unclassified, national security systems that are prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device. |
| Discussion | DoD has defined the unclassified, national security systems as all unclassified NSS. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the unclassified, national security systems as all unclassified NSS. |
| Assessment Objective CA-3(1) | |
| Rule | The organization defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network. |
| Discussion | The organization being inspected/assessed defines and documents the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network. DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented boundary protection device to ensure the organization being inspected/assessed defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network. DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
| Assessment Objective CA-3(2) | |
| Rule | The organization prohibits the direct connection of a classified, national security system to an external network without the use of organization-defined boundary protection device. |
| Discussion | The organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3(2), CCI 2074. |
| Check | The organization conducting the inspection/assessment obtains and examines network topology diagrams and examines the information system to ensure the organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3(2), CCI 2074. |
| Assessment Objective CA-3(2) | |
| Rule | The organization defines the boundary protection device to be used for the direct connection of classified, national security system to an external network. |
| Discussion | The organization being inspected/assessed defines and documents the boundary protection device to be used for the direct connection of classified, national security system to an external network. DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented boundary protection device to ensure the organization being inspected/assessed defines the boundary protection device to be used for the direct connection of classified, national security system to an external network. DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
| Assessment Objective CA-3(5) | |
| Rule | The organization employs either an allow-all, deny-by exception or deny-all, permit by exception policy for allowing organization-defined information systems to connect to external information systems. |
| Discussion | The organization being inspected/assessed configures the information system to employ a deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2080. DoD has defined the information systems as any systems requiring external connectivity. |
| Check | The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ a deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2080. DoD has defined the information systems as any systems requiring external connectivity. |
| Assessment Objective CA-3(5) | |
| Rule | The organization defines the information systems that employ either allow-all, deny-by-exception or deny-all, permit by exception policy for allowing connection to external information systems. |
| Discussion | DoD has defined the information systems as any systems requiring external connectivity. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the information systems as any systems requiring external connectivity. |
| Assessment Objective CA-3(5) | |
| Rule | The organization selects either allow-all, deny-by exception or deny-all, permit by exception policy for allowing organization-defined information systems to connect to external information systems. |
| Discussion | The organization being inspected/assessed selects deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems. DoD has defined the information systems as any systems requiring external connectivity. |
| Check | The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed selects deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems. DoD has defined the information systems as any systems requiring external connectivity. |
| Assessment Objective CA-5(a) | |
| Rule | The organization develops a plan of action and milestones for the information system to document the organizations planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. |
| Discussion | The organization being inspected/assessed will develop a security POA&M in accordance with DoDI 8510.01 Enclosure 6. POA&M templates are available on the Knowledge Service. |
| Check | The organization conducting the inspection/assessment obtains and examines the security POA&M for compliance with DoDI 8510.01. |
| Assessment Objective CA-5(b) | |
| Rule | The organization defines the frequency to update existing plan of action and milestones for the information system. |
| Discussion | DoD has defined the frequency as at least every 90 days. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at least every 90 days. |
| Assessment Objective CA-5(b) | |
| Rule | The organization updates, on an organization-defined frequency, existing plan of action and milestones based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
| Discussion | The organization being inspected/assessed will update the POA&M at least every 90 days. The updates are to be based upon the assessment of the identified vulnerabilities and weaknesses, prioritization of the vulnerabilities and weaknesses, progress being made in addressing and resolving the security weaknesses and vulnerabilities found in programs and systems, and continuous monitoring activities. DoD has defined the frequency as at least every 90 days. |
| Check | The organization conducting the inspection/assessment obtains and examines current POA&M. The objective is to validate the organization is providing updates to the POA&M at least every 90 days. Review of POA&M without change must be documented(i.e., adding review date to the POA&M header information). DoD has defined the frequency as at least every 90 days. |
| Assessment Objective CA-6(a) | |
| Rule | The organization assigns a senior-level executive or manager as the authorizing official for the information system. |
| Discussion | The organization being inspected/assessed will assign a senior-level executive or manager as the official role, and the responsibility, for authorizing the information system(s). Assignment must be in writing and IAW with DoDI 8510.01(i.e. Appointment memorandum). |
| Check | The organization conducting the inspection/assessment obtains and examines the written appointment memorandum. |
| Assessment Objective CA-6(b) | |
| Rule | The organization ensures the authorizing official authorizes the information system for processing before commencing operations. |
| Discussion | The organization being inspected/assessed will ensure that an authorization document(e.g. authorization to operate(ATO), interim authorization to operate(IATO)) has been issued by the authorizing official(AO) prior to placing the information system into an operational status. |
| Check | The organization conducting the inspection/assessment obtains and examines the authorization document to ensure the information system is authorized prior to being placed into operational status. |
| Assessment Objective CA-6(c) | |
| Rule | The organization updates the security authorization on an organization-defined frequency. |
| Discussion | The organization being inspected/assessed updates the security authorization at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
| Check | The organization conducting the inspection/assessment obtains and examines the security authorization documentation to confirm the security authorization has been updated within the last three years, when there was a significant change to the system, or if there was a change to the environment in which the system operates. DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
| Assessment Objective CA-6(c) | |
| Rule | The organization defines the frequency of updating the security authorization. |
| Discussion | DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
| Check | The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
| Assessment Objective CA-7 | |
| Rule | The organization develops a continuous monitoring strategy. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(a) | |
| Rule | The organization establishes and defines the metrics to be monitored for the continuous monitoring program. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(b) | |
| Rule | The organization establishes and defines the frequencies for continuous monitoring. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(b) | |
| Rule | The organization establishes and defines the frequencies for assessments supporting continuous monitoring. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(c) | |
| Rule | The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(d) | |
| Rule | The organization implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(e) | |
| Rule | The organization implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(f) | |
| Rule | The organization implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(g) | |
| Rule | The organization implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles on an organization-defined frequency. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(g) | |
| Rule | The organization defines the frequency to report the security status of organization and the information system to organization-defined personnel or roles. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(g) | |
| Rule | The organization defines personnel or roles to whom the security status of organization and the information system should be reported. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(1) | |
| Rule | The organization employs assessors or assessment teams with organization-defined level of independence to monitor the security controls in the information system on an ongoing basis. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-7(1) | |
| Rule | The organization defines the level of independence the assessors or assessment teams must have to monitor the security controls in the information system on an ongoing basis. |
| Discussion | Future DoD-wide CM guidance to be published |
| Check | Future DoD-wide CM guidance to be published |
| Assessment Objective CA-8 | |
| Rule | The organization conducts penetration testing in accordance with organization-defined frequency on organization-defined information systems or system components. |
| Discussion | The organization being inspected/assessed documents and implements a process to conduct penetration testing in accordance with the frequency defined in CA-8, CCI 2094 on information systems or system components defined in CA-8, CCI 2095. The organization must maintain a record of penetration test results. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented process as well as a sampling of the penetration test results to ensure the organization being inspected/assessed conducts penetration testing in accordance with the frequency defined in CA-8, CCI 2094 on information systems or system components defined in CA-8, CCI 2095. |
| Assessment Objective CA-8 | |
| Rule | The organization defines the frequency for conducting penetration testing on organization-defined information systems or system components. |
| Discussion | The organization being inspected/assessed defines and documents the frequency for conducting penetration testing on organization-defined information systems or system components. DoD has determined the frequency is not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency for conducting penetration testing on organization-defined information systems or system components. DoD has determined the frequency is not appropriate to define at the Enterprise level. |
| Assessment Objective CA-8 | |
| Rule | The organization defines the information systems or system components on which penetration testing will be conducted. |
| Discussion | The organization being inspected/assessed defines and documents the information systems or system components on which penetration testing will be conducted. DoD has determined the information systems or system components are not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented information systems or system components to ensure the organization being inspected/assessed defines the information systems or system components on which penetration testing will be conducted. DoD has determined the information systems or system components are not appropriate to define at the Enterprise level. |
| Assessment Objective CA-9(a) | |
| Rule | The organization authorizes internal connections of organization-defined information system components or classes of components to the information system. |
| Discussion | The organization being inspected/assessed authorizes internal connections of information system components defined in CA-9, CCI 2102 or classes of components to the information system. The organization must maintain an audit trail of authorizations. |
| Check | The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes internal connections of information system components defined in CA-9, CCI 2102 or classes of components to the information system. |
| Assessment Objective CA-9(a) | |
| Rule | The organization defines the information system components or classes of components that that are authorized internal connections to the information system. |
| Discussion | The organization being inspected/assessed defines and documents the information system components or classes of components that that are authorized internal connections to the information system. DoD has determined the information system components are not appropriate to define at the Enterprise level. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components or classes of components that that are authorized internal connections to the information system. DoD has determined the information system components are not appropriate to define at the Enterprise level. |
| Assessment Objective CA-9(b) | |
| Rule | The organization documents, for each internal connection, the interface characteristics. |
| Discussion | The organization being inspected/assessed documents, for each internal connection, the interface characteristics. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented interface characteristics as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the interface characteristics. |
| Assessment Objective CA-9(b) | |
| Rule | The organization documents, for each internal connection, the security requirements. |
| Discussion | The organization being inspected/assessed documents, for each internal connection, the security requirements. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented security requirements as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the security requirements. |
| Assessment Objective CA-9(b) | |
| Rule | The organization documents, for each internal connection, the nature of the information communicated. |
| Discussion | The organization being inspected/assessed documents, for each internal connection, the nature of the information communicated. |
| Check | The organization conducting the inspection/assessment obtains and examines the documented nature of information communication as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the nature of the information communicated. |