CoreOS 4.x - Security Assessment and Authorization

Control responses for NIST 800-53 rev4.

NOTE: All CoreOS content is under active development through the ComplianceAsCode Project. Do not consider this content production ready!


Requirements Traceability Matrix

Control Name Status
CA-1 Security Assessment And Authorization Policy And Procedures

not applicable

CA-2 Security Assessments

not applicable

CA-2 (1) Independent Assessors

not applicable

CA-2 (2) Specialized Assessments

not applicable

CA-2 (3) External Organizations

not applicable

CA-3 System Interconnections

not applicable

CA-3 (1) Unclassified National Security System Connections

not applicable

CA-3 (2) Classified National Security System Connections

not applicable

CA-3 (3) Unclassified Non-National Security System Connections

not applicable

CA-3 (4) Connections To Public Networks

not applicable

CA-3 (5) Restrictions On External System Connections

planned

CA-4 Security Certification

not applicable

CA-5 Plan Of Action And Milestones

planned

CA-5 (1) Automation Support For Accuracy / Currency

not applicable

CA-6 Security Authorization

not applicable

CA-7 Continuous Monitoring

planned

CA-7 (1) Independent Assessment

not applicable

CA-7 (2) Types Of Assessments

not applicable

CA-7 (3) Trend Analyses

not applicable

CA-8 Penetration Testing

not applicable

CA-8 (1) Independent Penetration Agent Or Team

not applicable

CA-8 (2) Red Team Exercises

not applicable

CA-9 Internal System Connections

planned

CA-9 (1) Security Compliance Checks

planned




CA-1: Security Assessment And Authorization Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].

CA-1 Control Response Information
Implementation Status:

not applicable

CA-1: What is the solution and how is it implemented?

Establishing organizational security assessment and authorization policy and procedures is outside the scope of CoreOS configuration guidance.




CA-2: Security Assessments

The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

CA-2 Control Response Information
Implementation Status:

not applicable

CA-2: What is the solution and how is it implemented?

Development of an organizational security assessment plan is outside the scope of CoreOS configuration guidance.

As supplemental comments, the NIST National Checklist for CoreOS is recommended as the source of configuration guidance for US Government deployments. NIST National Checklists applicable to Red Hat technologies can be found on nist.gov:

https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0

The NIST National Checklist for CoreOS provides SCAP-formatted automation content which could be used in satisfaction of CA-2(b), and is interoperable with any NIST SCAP Validated Product and Module.

Additionally, SCAP scanners will generate a compliance report which could be used to satisfy CA-2(c).




CA-2 (1): Independent Assessors

“The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.”

CA-2 (1) Control Response Information
Implementation Status:

not applicable

CA-2 (1): What is the solution and how is it implemented?

Employment of independent assessors or assessment teams is outside the scope of CoreOS configuration guidance.




CA-2 (2): Specialized Assessments

“The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].”

CA-2 (2) Control Response Information
Implementation Status:

not applicable

CA-2 (2): What is the solution and how is it implemented?

Specialized security assessments are outside the scope of CoreOS configuration guidance.




CA-2 (3): External Organizations

“The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].”

CA-2 (3) Control Response Information
Implementation Status:

not applicable

CA-2 (3): What is the solution and how is it implemented?

Organizational acceptance of the results of an assessment is outside the scope of CoreOS configuration.




CA-3: System Interconnections

The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

CA-3 Control Response Information
Implementation Status: