Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
compliance; and (ii) formal,
documented procedures to
facilitate the implementation of
the security assessment and
certification and accreditation
policies and associated
assessment, certification, and
accreditation controls.
CA-2
Security assessments
The organization conducts an
assessment of the security controls
in the information system
[assignment: organization-defined
frequency, at least annually] to
determine the extent to which the
controls are implemented
correctly, operating as intended,
and producing the desired
outcome with respect to meeting
the security requirements for the
system.
CA-3
Information system
connections
The organization authorizes all
connections from the information
system to other information
systems outside of the
accreditation boundary through
the use of system connection
agreements and monitors/controls
the system connections on an
ongoing basis.
CA-4
Security certification
The organization conducts an
assessment of the security
controls in the information
system to determine the extent to
which the controls are
implemented correctly, operating
as intended, and producing the
desired outcome with respect to
meeting the security
requirements for the system.
