NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING

CA-7(1)Independent Assessment

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services.

Practitioner Notes

This enhancement requires that independent assessors participate in your continuous monitoring program — not just your internal IT team doing self-assessments.

Example 1: Contract with an independent assessor to review a sample of your security controls each quarter, rotating through the full control set over the year.

Example 2: Have your internal audit team (separate from IT) independently validate the accuracy of your continuous monitoring reports before they go to the authorizing official.

More Assessment, Authorization, and Monitoring Controls

CA-1 Policy and Procedures CA-2 Control Assessments CA-2(1) Independent Assessors CA-2(2) Specialized Assessments