Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
CA-5
Plan of action and
milestones
The organization develops and
updates [assignment:
organization-defined frequency] a
plan of action and milestones for
the information system that
documents the organization's
planned, implemented, and
evaluated remedial actions to
correct deficiencies noted during
the assessment of the security
controls and to reduce or
eliminate known vulnerabilities in
the system.
CA-6
Security
accreditation
The organization authorizes (i.e.,
accredits) the information system
for processing before operations
and updates the authorization
[assignment: organization-
defined frequency, at least every
three years] or when there is a
significant change to the system.
A senior organizational official
signs and approves the security
accreditation.
CA-7
Continuous
monitoring
The organization monitors the
security controls in the
information system on an
ongoing basis.
CM
Coniguration
Management
CM-1
Coniguration
management policy
and procedures
The organization develops,
disseminates, and periodically
reviews/updates: (i) a formal,
documented configuration
management policy that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational entities,
and compliance; and (ii) formal,
documented procedures to
facilitate the implementation of
the configuration management
policy and associated
configuration management
controls.
