Assessment, Authorization, and Monitoring (CA)
Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]].
Assessment, Authorization, and Monitoring (CA)
Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements].
Assessment, Authorization, and Monitoring (CA)
Level N/A
a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and c. Review and update the agreements [Assignment: organization-defined frequency].
Assessment, Authorization, and Monitoring (CA)
[Withdrawn: Moved to SC-7(25).]
Assessment, Authorization, and Monitoring (CA)
[Withdrawn: Moved to SC-7(26).]
Assessment, Authorization, and Monitoring (CA)
[Withdrawn: Moved to SC-7(27).]
Assessment, Authorization, and Monitoring (CA)
[Withdrawn: Moved to SC-7(28).]
Assessment, Authorization, and Monitoring (CA)
[Withdrawn: Moved to SC-7(5).]
Assessment, Authorization, and Monitoring (CA)
Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
Assessment, Authorization, and Monitoring (CA)
(a) Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and (b) Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.
