Security Assessment Summary

[tadwhitaker]

Is CA-2 asking for something like a dedicated Security Council that creates and carries out a dedicated plan for annual reviews of the overall global security of the product/service?

[rhoesing]

If the question is in reference to CA-2.a: Determine if the organization: Develops a security assessment plan that describes the scope of the assessment including:

• security controls and control enhancements under assessment • assessment procedures to be used to determine security control effectiveness • assessment environment • assessment team • assessment roles and responsibilities

If you are questioning what the "assessment team" and the "assessment roles and responsibilities" are, then the assessment team is a group of folks that the Authorizing Official (AO) has appointed and agreed are responsible for assessing residual risk to the system and reporting the risk status to him/her. These people/assessment team should have an understanding about security and 800-53 current version. They do not have to be a Security Council but this group should have a plan for completing annual assessments and continuous monitoring of the system. The rigor applied to the annual assessments and continuous monitoring should be in relation to the risk accepted by the AO.

Does that help answer your question? We are happy to jump on a call as well to help answer your question over the phone if my response did not sufficiently answer your question above.