CA-7(2) — Types of Assessments

This enhancement was incorporated into CA-2. It previously specified different types of assessments (testing, examining, interviewing) that should be used during continuous monitoring.

Example 1: Include a mix of automated scanning (testing), document review (examining), and staff interviews in your continuous monitoring plan to get a complete picture.

Example 2: Use SCAP-compliant tools for automated testing of technical controls and supplement with manual interviews of system administrators for operational controls.