CivicActions performs risk assessments on supplied products and services. These assessments may cover one or more controls within these families:
- Certification, Accreditation, and Security Assessments (CA)
- Planning (PL)
- Program Management (PM)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
Provide governance over a formal, documented risk assessment structure that addresses purpose, scope, controls, roles, responsibilities, management commitment, coordination and compliance.
See the CivicActions Common Control Policy.
For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the CivicActions Common Control Policy.
Initial security categorization is a collaborative and inter-disciplinary activity, with all final decisions made by the Authorizing Official. Risk assessment is similarly cross-functional, with the Operations team being primarily responsible, as directed by the Project Manager. The CivicActions Information Security team are consulted throughout, and the Authorizing Official seeks to minimize any need to issue waivers or risk acceptances that do not have concurrence from the Product Owner or Chief Information Security Officer.
See RA-2, RA-3.
CivicActions Operations and Information Security work together to scan all of relevant portions of the product or service stack.
Access to scanning tools, scan results, and logs is broadly shared amongst the CivicActions team to ensure a rapid response to any findings. Similarly, on-demand access is granted to the Authorizing Official to aide in any systemic understanding of the system's risk posture.
See RA-5.