STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

CA-2 (2)

Assessment, Authorization, and MonitoringRev 5organization

Control Assessments

Baselines:High

Control Statement

Include as part of control assessments, [Assignment: specialized assessment frequency], [Selection: organization-defined value], [Selection: organization-defined value].

Supplemental Guidance

Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing).

Related Controls (2)

PE-3SI-2

CCI Identifiers (7)

CCI-000256Include as part of the control assessments, announced or unannounced, on an organization-defined frequency, in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; and/or organization-defined other forms of assessment.CCI-002065Defines the frequency at which to conduct control assessments.CCI-001579The organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques.CCI-001582Defines other forms of control assessments other than in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment that should be included as part of the control assessments.CCI-001583The organization selects announced or unannounced assessments for each form of security control assessment.CCI-001681The organization defines the frequency at which each form of security control assessment should be conducted.deprecated

Linked STIG Checks (1)

Across 1 STIGs. Click to expand.

CCI-002064
The organization selects one or more security assessment techniques to be conducted.