compliance controls are associated with this Policy definition 'Accept assessment results' (3054c74b-9b45-2581-56cf-053a1a716c39)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-2(3) |
FedRAMP_High_R4_CA-2(3) |
FedRAMP High CA-2 (3) |
Security Assessment And Authorization |
External Organizations |
Shared |
n/a |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].
Supplemental Guidance: Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
link |
1 |
| FedRAMP_Moderate_R4 |
CA-2(3) |
FedRAMP_Moderate_R4_CA-2(3) |
FedRAMP Moderate CA-2 (3) |
Security Assessment And Authorization |
External Organizations |
Shared |
n/a |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].
Supplemental Guidance: Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
link |
1 |
| hipaa |
0125.05a3Organizational.2-05.a |
hipaa-0125.05a3Organizational.2-05.a |
0125.05a3Organizational.2-05.a |
01 Information Protection Program |
0125.05a3Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Annual risk assessments are performed by an independent organization. |
|
8 |
| hipaa |
0177.05h1Organizational.12-05.h |
hipaa-0177.05h1Organizational.12-05.h |
0177.05h1Organizational.12-05.h |
01 Information Protection Program |
0177.05h1Organizational.12-05.h 05.01 Internal Organization |
Shared |
n/a |
An independent review of the organization's information security management program is initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. |
|
5 |
| hipaa |
1796.10a2Organizational.15-10.a |
hipaa-1796.10a2Organizational.15-10.a |
1796.10a2Organizational.15-10.a |
17 Risk Management |
1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Commercial products other than operating system software used to store and/or process covered information undergo a security assessment and/or security certification by a qualified assessor prior to implementation. |
|
6 |
| NIST_SP_800-53_R4 |
CA-2(3) |
NIST_SP_800-53_R4_CA-2(3) |
NIST SP 800-53 Rev. 4 CA-2 (3) |
Security Assessment And Authorization |
External Organizations |
Shared |
n/a |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].
Supplemental Guidance: Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
link |
1 |
| NIST_SP_800-53_R5 |
CA-2(3) |
NIST_SP_800-53_R5_CA-2(3) |
NIST SP 800-53 Rev. 5 CA-2 (3) |
Assessment, Authorization, and Monitoring |
Leveraging Results from External Organizations |
Shared |
n/a |
Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. |
link |
1 |