NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING
CA-7(5) — Consistency Analysis
Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: {{ insert: param, ca-7.5_prm_1 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Security and privacy controls are often added incrementally to a system. As a result, policies for selecting and implementing controls may be inconsistent, and the controls could fail to work together in a consistent or coordinated manner. At a minimum, the lack of consistency and coordination could mean that there are unacceptable security and privacy gaps in the system. At worst, it could mean that some of the controls implemented in one location or by one component are actually impeding the functionality of other controls (e.g., encrypting internal network traffic can impede monitoring). In other situations, failing to consistently monitor all implemented network protocols (e.g., a dual stack of IPv4 and IPv6) may create unintended vulnerabilities in the system that could be exploited by adversaries. It is important to validate—through testing, monitoring, and analysis—that the implemented controls are operating in a consistent, coordinated, non-interfering manner.
Practitioner Notes
This enhancement requires you to check whether the security information you are collecting from various sources is consistent and reliable.
Example 1: Compare the asset counts in your SCCM/Intune inventory against your network scan results to ensure you are monitoring all devices and not missing rogue assets.
Example 2: Cross-reference Active Directory user counts with your HR system to verify that your identity data is consistent and no orphaned accounts exist.