CA-2 Security Assessments

Description

Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of:

  1. initial and ongoing security authorizations;
  2. FISMA annual assessments;
  3. continuous monitoring; and
  4. system development life cycle activities.

Security assessments:

  1. ensure that information security is built into organizational information systems;
  2. identify weaknesses and deficiencies early in the development process;
  3. provide essential information needed to make risk-based decisions as part of security authorization processes; and
  4. ensure compliance to vulnerability mitigation procedures.

Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans.

Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle.

Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements.

The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.

To satisfy annual assessment requirements, organizations can use assessment results from the following sources:

  1. initial or ongoing information system authorizations;
  2. continuous monitoring; or
  3. system development life cycle activities.

Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed.

Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies.

Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures.

External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this Control.

Applicability

This Control applies to the university Chief Information Security and Privacy Officer (CISPO) who has the authority to administer the information security functions for the entire institution and is responsible for assessing and reporting to the President the status and effectiveness of security controls under Texas Administrative Code 202.76, Security Control Standards Catalog [TAC 202.76(c)].

This Control is distinct from the unit security risk assessments described in RA-3 Risk Assessment.

Implementation

TAMU-CC Chief Information Security and Privacy Officer (CISPO) shall:

  1. Develops a security assessment plan that describes the scope of the assessment including:
    1. Security controls and control enhancements under assessment;
    2. Assessment procedures to be used to determine security control effectiveness; and
    3. Assessment environment, assessment team, and assessment roles and responsibilities;
  2. Assesses the security controls in the information system and its environment of operation annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
  3. Produces a security assessment report that documents the results of the assessment; and
  4. Provides the results of the security control assessment to the University Chief Information Officer (CIO) and University President/CEO.
  5. A review of the TAMU-CC information security program for compliance with these standards will be performed at least annually, based on business risk management decisions, by individual(s) independent of the information security program and designated by the TAMU-CC President or his or her designated representative(s).

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket