Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ca-2(3)

security assessments  | external organizations

assessment objective:

Determine if the organization:

ca-2(3)[1]

defines an information system for which the results of a security assessment performed by an external organization are to be accepted;

ca-2(3)[2]

defines an external organization from which to accept a security assessment performed on an organization-defined information system;

ca-2(3)[3]

defines the requirements to be met by a security assessment performed by organization-defined external organization on organization-defined information system; and

ca-2(3)[4]

accepts the results of an assessment of an organization-defined information system performed by an organization-defined external organization when the assessment meets organization-defined requirements.

potential assessment methods and objects:

Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessments; security plan; security assessment requirements; security assessment plan; security assessment report; security assessment evidence; plan of action and milestones; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security assessment responsibilities; organizational personnel with information security responsibilities; personnel performing security assessments for the specified external organization].