📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / CA

CA-2 Control Assessments

Family CA
Baselines moderate
Mapped KSIs 3

Control statement

a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
    b. Develop a control assessment plan that describes the scope of the assessment including:
        1. Controls and control enhancements under assessment;
        2. Assessment procedures to be used to determine control effectiveness; and
        3. Assessment environment, assessment team, and assessment roles and responsibilities;
    c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
    d. Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
    e. Produce a control assessment report that document the results of the assessment; and
    f. Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}.
        Guidance: Reference FedRAMP Annual Assessment Guidance.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-AFR-03Authorization Data Sharing
Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-AFR-04Vulnerability Detection and Response
Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-PIY-06Security Investment Effectiveness
_Persistently_ review the effectiveness of the organization's investments in achieving security objectives.
Policy and Inventory