NIST 800-53 r5 · Controls catalogue · Family CA
CA-2Control Assessments
Select the appropriate assessor or assessment team for the type of assessment to be conducted; Develop a control assessment plan that describes the scope of the assessment including: Controls and control enhancements under assessment; Assessment procedures to be used to determine control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; Produce a control assessment report that document the results of the assessment; and Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (5)
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Control assessments determine if authorization is enforced for functions and resources, detecting missing authorization weaknesses. |
CWE-284 | Improper Access Control | 4,832 | Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation. |
CWE-287 | Improper Authentication | 4,730 | Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts. |
CWE-863 | Incorrect Authorization | 3,234 | The assessment evaluates authorization logic and enforcement, identifying incorrect authorization that could be exploited. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Assessments review permission assignments on critical resources to confirm correctness, mitigating exploitation via incorrect permissions. |
CWE-693 | Protection Mechanism Failure | 476 | Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation. |
CWE-358 | Improperly Implemented Security Check for Standard | 117 | Assessments identify and document improperly implemented security checks, allowing fixes that reduce exploitation of flawed checks. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||