Assessment, Authorization, and Monitoring¶
Control Assessments¶
CA-02
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
CA-02 - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
- a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
- b. Develop a control assessment plan that describes the scope of the assessment including:
- 1. Controls and control enhancements under assessment;
- 2. Assessment procedures to be used to determine control effectiveness; and
- 3. Assessment environment, assessment team, and assessment roles and responsibilities;
- c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
- d. Assess the controls in the system and its environment of operation [Assignment: organization-defined assessment frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
- e. Produce a control assessment report that document the results of the assessment; and
- f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].
FedRAMP Parameters
| Parameter ID | NIST assignment | FedRAMP value |
|---|---|---|
ca-02_odp.02 |
individuals or roles | individuals or roles to include FedRAMP and agency customers |
Leveraging Results from External Organizations¶
CA-02(03)
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
CA-02(03) - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
Leverage the results of control assessments performed by [Assignment: organization-defined external organization(s)] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements].
FedRAMP Parameters
| Parameter ID | NIST assignment | FedRAMP value |
|---|---|---|
ca-02.03_odp.01 |
external organization(s) | any FedRAMP Recognized independent assessment service |
Continuous Monitoring¶
CA-07
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
CA-07 - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
- a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
- b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
- c. Ongoing control assessments in accordance with the continuous monitoring strategy;
- d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
- e. Correlation and analysis of information generated by control assessments and monitoring;
- f. Response actions to address results of the analysis of control assessment and monitoring information; and
- g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
FedRAMP Guidance
Follow the FedRAMP Continuous Collaborative Monitoring, Significant Change Notification, Vulnerability Detection and Response, and Vulnerability Evaluation and Reporting rules.
Penetration Testing¶
CA-08
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
CA-08 - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined system(s) or system components].
FedRAMP Guidance
Penetration testing is part of vulnerability detection and is subject to the Vulnerability Detection and Response rules.