IAO
Information Assurance
15 controls
Execute an impartial assessment process to validate the existence and functionality of appropriate cybersecurity & data privacy controls, prior to a system, application or service being used in a production environment.
| SCF # | Control Name | Weight |
|---|---|---|
| IAO-01 | Information Assurance (IA) Operations | 10 — Critical |
| IAO-01.1 | Assessment Boundaries | 9 — Critical |
| IAO-02 | Assessments | 10 — Critical |
| IAO-02.1 | Assessor Independence | 9 — Critical |
| IAO-02.2 | Specialized Assessments | 9 — Critical |
| IAO-02.3 | Third-Party Assessments | 9 — Critical |
| IAO-02.4 | Security Assessment Report (SAR) | 7 — High |
| IAO-03 | System Security & Privacy Plan (SSPP) | 7 — High |
| IAO-03.1 | Plan / Coordinate with Other Organizational Entities | 5 — Medium |
| IAO-03.2 | Adequate Security for Sensitive / Regulated Data In Support of Contracts | 7 — High |
| IAO-04 | Threat Analysis & Flaw Remediation During Development | 10 — Critical |
| IAO-05 | Plan of Action & Milestones (POA&M) | 9 — Critical |
| IAO-05.1 | Plan of Action & Milestones (POA&M) Automation | 2 — Low |
| IAO-06 | Technical Verification | 8 — High |
| IAO-07 | Security Authorization | 10 — Critical |
The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.