CA — Assessment, Authorization, and Monitoring
CA is the family that decides whether any of the rest of the catalog mattered. AC, AU, SC, and the others describe controls a system is supposed to have. CA is the machinery that checks whether those controls are real, writes down what failed, and gets a human with signature authority to accept the residual risk. If the other families are the engine, CA is the inspection sticker. It is also the family most directly bolted to the RMF process itself, which is why getting its vocabulary right matters more here than almost anywhere else in 800-53.
First, the rename, because the page slug lies to you. In Rev 4 this family was “Security Assessment and Authorization.” Rev 5 renamed it to Assessment, Authorization, and Monitoring — the word “Security” dropped, “Monitoring” added to the title to reflect that CA-7 had grown into the spine of ongoing authorization. The URL you reached this page through still carries the Rev 4 name (ca-security-assessment-and-authorization), and that’s a permanence artifact, not a statement about the current catalog. The AC family’s cross-links still point here under the old title too. If you see an SSP or an eMASS export labeling the family the Rev 4 way, it isn’t wrong exactly, it’s just quoting a version of the catalog that’s been superseded since 2020.
Where CA sits in the RMF
The other catalog families get pulled into a system at Select, get built and narrated at Implement, and get graded at Assess. CA is different. CA controls describe the Assess, Authorize, and Monitor steps of SP 800-37 themselves. CA-2 is the Assess step written as a control. CA-6 is the Authorize step. CA-7 is the Monitor step. So when you implement CA, you are documenting how your organization runs the back half of its own RMF, which is a slightly recursive thing to wrap your head around the first time.
That recursion is the reason CA narratives go generic so fast. It’s tempting to write CA-2 as “we conduct security assessments” and move on, because the control is describing the assessment you’re currently sitting inside. Resist. An assessor reading your CA-2 implementation wants to know who assesses, against what procedure, producing which artifact, on what trigger.
What’s in the family, CA-1 through CA-9
The live controls, with the corrections the Rev 4-era stubs floating around the internet keep getting wrong:
- CA-1, Policy and Procedures. Rev 5 collapsed every family’s -1 to the plain name “Policy and Procedures.” It is no longer “Security Assessment and Authorization Policy and Procedures.” Same boring, mandatory role as every other -1.
- CA-2, Control Assessments. The control that produces the SAR (Security Assessment Report). CA-2(1) requires assessor independence, CA-2(2) covers specialized assessments like in-depth monitoring or red-team work, and CA-2(3) is the reciprocity hook for accepting external assessment results so you aren’t re-testing a control someone else already authorized.
- CA-3, Information Exchange. Renamed in Rev 5 from “System Interconnections.” The broadening is real, not cosmetic: it now covers information exchange agreements generally, not just the ISA-style box-to-box interconnect. ISAs and MOUs still live here. It ties straight to SC-7 boundary protection and AC-4 flow enforcement.
- CA-4, withdrawn. Rev 5 retired CA-4 and folded it into CA-2. There is no live CA-4. If an SSP cites CA-4 as the POA&M control, that’s a Rev 4 artifact and the numbering downstream is probably shifted too. This is the single most common factual error I see in CA write-ups.
- CA-5, Plan of Action and Milestones. The POA&M control. CA-5(1) pushes toward automated tracking. This is where assessment findings go to either get fixed or get a defensible deferral date.
- CA-6, Authorization. The ATO decision and the Authorizing Official who signs it. CA-6(1) covers joint authorization within an organization. CA-6 is also where the authorization boundary gets pinned down, which matters more than people give it credit for.
- CA-7, Continuous Monitoring. ConMon, and the bridge to ongoing authorization. CA-7(1) brings in independent assessment, CA-7(4) adds explicit risk monitoring. In FedRAMP land this is the control with teeth: monthly scans, monthly POA&M deltas, deviation requests.
- CA-8, Penetration Testing. High-baseline. CA-8(1) is an independent penetration agent, CA-8(2) is red-team exercises. Distinct from RA-5 scanning in a way worth being precise about (below).
- CA-9, Internal System Connections. The control the bad stubs omit entirely. It governs connections between components inside your authorization boundary, the ones that don’t need a full CA-3 agreement because they’re internal. Ties to your CM inventory and, again, to SC-7.
On baselines: CA-2, CA-3, CA-5, CA-6, CA-7, and CA-9 are allocated across Low/Moderate/High in SP 800-53B (the catalog stopped carrying baselines in Rev 5; they moved out into 800-53B). CA-8 is the outlier — penetration testing lands at the High baseline, not below it. CA-9 is broadly allocated, which surprises people who think of internal-connection documentation as a High-water concern.
Deeper: the SAR, the POA&M, and the ATO are three artifacts, not one workflow blur.
The SAR (CA-2) is the assessor’s verdict — each control rated Satisfied or Other Than Satisfied, with the evidence and the gaps. The assessor writes it; the system owner does not get to edit the findings. The POA&M (CA-5) is the owner’s response to the Other-Than-Satisfied rows: what’s getting fixed, by when, and what compensating control covers the gap until then. The ATO (CA-6) is the Authorizing Official reading the SAR and the POA&M together and deciding the residual risk is acceptable enough to operate. Three documents, three different authors, three different moments. SSPs that smear them into one “we assess and authorize our systems” sentence are telling an assessor that the org doesn’t actually separate the roles, and separation of those roles is half the point of the framework. The cleanest tell of a mature shop is a SAR whose findings the system owner clearly didn’t get to soften.
What an assessor actually checks
| Control | Typical first live at | What an assessor actually checks |
|---|---|---|
| CA-2 | Low | The SAR exists, is current, and was produced by an assessor with documented independence (CA-2(1)). Findings trace to evidence, not assertions. |
| CA-3 | Low | Every external information exchange has a signed agreement, and the agreements match what SC-7 and AC-4 actually enforce at the boundary. |
| CA-5 | Low | POA&M items map one-to-one to open SAR findings and to RA-5 scan results. Milestone dates that have slipped three times get questioned. |
| CA-6 | Low | A signed ATO from the right AO, an authorization boundary that matches the SSP diagram, and an expiration or ongoing-authorization basis. |
| CA-7 | Low | A real ConMon plan with a cadence, not a paragraph. Evidence that the cadence is being met — scan dates, monthly POA&M updates. |
| CA-8 | High | Pen test was performed by a qualified, independent agent (CA-8(1)), scoped beyond an automated scan, with findings fed back into CA-5. |
| CA-9 | Low | Internal component connections are enumerated and reconciled against the CM hardware/software inventory. |
Treat “first live at” as directional. Your overlay moves it, and FedRAMP in particular pulls several CA enhancements down below their bare 800-53B allocation.
Where it goes brittle
CA-2 versus everything that isn’t an assessment. CA-2 is the grading. It is not the SA family, which is the building of the system. It is not RA-5, which is the scanning that feeds findings into the grade. The line that blurs most is CA-2 versus RA-5: a vulnerability scan is an input to an assessment, not the assessment itself. An SSP that points CA-2 at “we run Tenable monthly” has confused the evidence source with the verdict.
CA-5 as a date-slip ledger. Here’s the flag I’ll plant. Most POA&Ms are not risk decisions, they are date-management exercises. A finding lands, it gets a remediation date ninety days out, the date arrives, the work didn’t happen, the date slides another ninety. Repeat for two years. The POA&M is current — every row has a future date, the artifact looks healthy — and not a single one of those dates encodes a real engineering commitment. An assessor who sorts the POA&M by original-finding-date and counts the re-baselines will find the rot in about four minutes. The honest version of CA-5 has fewer, uglier rows: a real fix date or an explicit accepted-risk decision with the AO’s name on it, not an infinitely renewable IOU.
CA-6 authorization-by-calendar. The traditional three-year ATO is theater dressed as rigor. A signature on a Tuesday means the residual risk was acceptable that Tuesday, against a SAR that was already a few months stale by signing. Nothing about the system stops changing the next morning. CA-7 plus ongoing authorization is supposed to fix this — the authorization decision becomes continuous, fed by live monitoring data instead of a triennial fire drill. Whether your org actually does ongoing authorization or just calls its annual ConMon review by that name is the question I’d ask first. The FedRAMP monthly cadence (scans, POA&M deltas, deviation requests) is the closest thing to real ongoing authorization that most shops run, and even that leans heavily on scan data standing in for a full reassessment.
CA-3 / CA-9 inventory drift. The authorization boundary on paper and the connections that actually exist diverge the moment someone stands up a new internal service and wires it to the database without updating anything. CA-3 catches the external version of this, CA-9 the internal version, and both are only as good as the CM inventory underneath them. A boundary diagram that hasn’t been touched since the last ATO is usually fiction by month six.
Cross-family ties worth keeping straight
CA doesn’t stand alone, and the assessor knows the seams. CA-5 POA&M items should reconcile against RA-5 scan findings and SI flaw-remediation records; a finding that’s open in the scanner but absent from the POA&M is a process gap. CA-7 ConMon feeds on AU audit evidence and CM-3 change records, both of which should be flowing into reauthorization decisions rather than sitting in a log nobody reads. CA-3 information exchange lives or dies on SC-7 boundary protection and AC-4 flow enforcement actually implementing what the agreements promise. CA-9 internal connections only make sense against a maintained CM inventory. And the CA-6 authorization boundary is the same line AC-20 draws for external systems — where your responsibility ends and an external provider’s begins. Get that boundary wrong in CA-6 and every inheritance claim downstream inherits the error.
The fastest way to fail a CA assessment is to write the family as if it described intentions rather than artifacts. CA is the one place in the catalog where the deliverables are concrete documents with named authors and dates. Produce the SAR, the POA&M, and the ATO; make them disagree with each other in the places real systems disagree; and the family reads as true.
Sources
- SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations (NIST)
- SP 800-53B, Control Baselines for Information Systems and Organizations (NIST)
- SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations (NIST)
- SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (NIST)
- FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (NIST)
- FedRAMP Continuous Monitoring Strategy Guide (FedRAMP)
- DoDI 8510.01, Risk Management Framework for DoD Systems (DoD)
Adjacent material on this site
- RA, Risk Assessment (where RA-5 scan findings feed the POA&M)
- CM, Configuration Management (the inventory CA-9 and the change records CA-7 depend on)
- AU, Audit and Accountability (the evidence stream continuous monitoring runs on)
- AC, Access Control (AC-20 draws the same authorization boundary as CA-6)
- RMF control families overview
- RMF roadmap