Overview:
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].
Supplemental Guidance:
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes.
Related controls: PE-3, SI-2.
Action Items:
1) Create specialized assessments targeting individual security domains or specific processes to determine their effectiveness
Related Documents:
1) Security Assessment and Authorization Policy
2) System Security Plan
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CA-2 (2) [at least annually]
Moderate Additional FedRAMP Requirements and Guidance
CA-2 (2) Requirement: To include 'announced', 'vulnerability scanning'
Article ID: 628
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/fedramp-specialized-assessments-ca-2-2-628.html