Ansible Tower - Security Assessment and Authorization

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
CA-1 Security Assessment And Authorization Policy And Procedures

not applicable

CA-2 Security Assessments

not applicable

CA-2 (1) Independent Assessors

not applicable

CA-2 (2) Specialized Assessments
CA-2 (3) External Organizations
CA-3 System Interconnections

not applicable

CA-3 (1) Unclassified National Security System Connections
CA-3 (2) Classified National Security System Connections
CA-3 (3) Unclassified Non-National Security System Connections
CA-3 (4) Connections To Public Networks
CA-3 (5) Restrictions On External System Connections
CA-4 Security Certification
CA-5 Plan Of Action And Milestones

not applicable

CA-5 (1) Automation Support For Accuracy / Currency
CA-6 Security Authorization

not applicable

CA-7 Continuous Monitoring

not applicable

CA-7 (1) Independent Assessment
CA-7 (2) Types Of Assessments
CA-7 (3) Trend Analyses
CA-8 Penetration Testing
CA-8 (1) Independent Penetration Agent Or Team
CA-8 (2) Red Team Exercises
CA-9 Internal System Connections

not applicable

CA-9 (1) Security Compliance Checks



CA-1: Security Assessment And Authorization Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].

CA-1 Control Response Information
Implementation Status:

not applicable

CA-1: What is the solution and how is it implemented?



CA-2: Security Assessments

The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

CA-2 Control Response Information
Implementation Status:

not applicable

CA-2: What is the solution and how is it implemented?



CA-2 (1): Independent Assessors

“The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.”

CA-2 (1) Control Response Information
Implementation Status:

not applicable

CA-2 (1): What is the solution and how is it implemented?



CA-2 (2): Specialized Assessments

“The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].”

CA-2 (2) Control Response Information
Implementation Status:
CA-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Ansible Tower.



CA-2 (3): External Organizations

“The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].”

CA-2 (3) Control Response Information
Implementation Status:
CA-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Ansible Tower.



CA-3: System Interconnections

The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

CA-3 Control Response Information
Implementation Status:

not applicable

CA-3: What is the solution and how is it implemented?



CA-3 (1): Unclassified National Security System Connections

“The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].”

CA-3 (1) Control Response Information
Implementation Status:
CA-3 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Ansible Tower.



CA-3 (2): Classified National Security System Connections

“The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device].”

CA-3 (2) Control Response Information
Implementation Status:
CA-3 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Ansible Tower.



CA-3 (3): Unclassified Non-National Security System Connections

“The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].”

CA-3 (3) Control Response Information
Implementation Status:
CA-3 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Ansible Tower.



CA-3 (4): Connections To Public Networks

“The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network.”

CA-3 (4) Control Response Information
Implementation Status: