CA-2: Control Assessments
From NIST's SP800-53:
a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; b. Develop a control assessment plan that describes the scope of the assessment including: 1. Controls and control enhancements under assessment; 2. Assessment procedures to be used to determine control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e. Produce a control assessment report that document the results of the assessment; and f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| RS.CO-3 | Information is shared consistent with response plans |
| DE.DP-2 | Detection activities comply with all applicable requirements |
| DE.DP-4 | Event detection information is communicated |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability |
| PR.IP-7 | Protection processes are improved |
| DE.DP-3 | Detection processes are tested |
| DE.DP-5 | Detection processes are continuously improved |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1195 | Supply Chain Compromise | Initial Access |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1195.001 | Compromise Software Dependencies and Development Tools | Initial Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1195.002 | Compromise Software Supply Chain | Initial Access |