Skip to main content

πŸ’Ό CA-1 Policy and Procedures

Description​

a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:

  1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] assessment, authorization, and monitoring policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and c. Review and update the current assessment, authorization, and monitoring:
  3. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  4. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

Similar​

  • Internal
    • ID: dec-c-408ca7b6

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-1 Policy and Procedures (L)(M)(H)
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-1 Policy and Procedures (L)(M)(H)
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed2
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities24

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags