IAO-01: Information Assurance (IA) Operations
Mechanisms exist to facilitate the implementation of cybersecurity and data protection assessment and authorization controls.
Control Question: Does the organization facilitate the implementation of cybersecurity and data protection assessment and authorization controls?
General (44)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC4.1 CC4.1-POF8 CC6.1-POF2 CC6.1-POF9 |
| COBIT 2019 | BAI03.08 |
| COSO 2017 | Principle 16 |
| CSA IoT SCF 2 | IOT-01 |
| ENISA 2.0 | SO23 SO24 |
| GovRAMP Low | CA-01 |
| GovRAMP Low+ | CA-01 |
| GovRAMP Moderate | CA-01 |
| GovRAMP High | CA-01 |
| ISO/SAE 21434 2021 | RQ-05-17 RQ-06-23 |
| ISO 27002 2022 | 5.21 |
| ISO 42001 2023 | A.6.2.5 |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 4.3 MANAGE 1.1 |
| NIST 800-37 R2 | A-2 C-2 C-3 I-1 M-1 M-4 M-6 R-1 R-4 R-5 S-1 S-2 S-5 |
| NIST 800-39 | 3.2 |
| NIST 800-53 R4 | CA-1 PM-10 |
| NIST 800-53 R4 (low) | CA-1 |
| NIST 800-53 R4 (moderate) | CA-1 |
| NIST 800-53 R4 (high) | CA-1 |
| NIST 800-53 R5 (source) | CA-1 PM-10 |
| NIST 800-53B R5 (privacy) (source) | CA-1 |
| NIST 800-53B R5 (low) (source) | CA-1 |
| NIST 800-53B R5 (moderate) (source) | CA-1 |
| NIST 800-53B R5 (high) (source) | CA-1 |
| NIST 800-53 R5 (NOC) (source) | PM-10 |
| NIST 800-82 R3 LOW OT Overlay | CA-1 |
| NIST 800-82 R3 MODERATE OT Overlay | CA-1 |
| NIST 800-82 R3 HIGH OT Overlay | CA-1 |
| NIST 800-161 R1 | CA-1 PM-10 |
| NIST 800-161 R1 C-SCRM Baseline | CA-1 |
| NIST 800-161 R1 Level 1 | CA-1 PM-10 |
| NIST 800-161 R1 Level 2 | CA-1 PM-10 |
| NIST 800-161 R1 Level 3 | CA-1 |
| NIST 800-171 R2 (source) | NFO-CA-1 |
| NIST 800-171 R3 (source) | 03.12.01 |
| NIST CSF 2.0 (source) | ID.RA-01 |
| SPARTA | CM0089 |
| UN R155 | 7.2.2.1(a) 7.2.2.1(b) 7.2.2.1(c) 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h) 7.2.2.3 7.2.2.4(a) 7.2.2.4(b) 7.2.2.5 9.1 |
| UN ECE WP.29 | 7.2.2.1(a) 7.2.2.1(b) 7.2.2.1(c) 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h) 7.2.2.3 7.2.2.4(a) 7.2.2.4(b) 7.2.2.5 9.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IAO-01 |
| SCF CORE ESP Level 1 Foundational | IAO-01 |
| SCF CORE ESP Level 2 Critical Infrastructure | IAO-01 |
| SCF CORE ESP Level 3 Advanced Threats | IAO-01 |
| SCF CORE AI Model Deployment | IAO-01 |
US (22)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | COMP:SG1.SP1 TM:SG3.SP1 TM:SG3.SP2 TM:SG4.SP4 |
| US CISA CPG 2022 | 1.F 2.Q |
| US CMS MARS-E 2.0 | CA-1 PM-10 |
| US FDA 21 CFR Part 11 | 11.10 11.10(a) 11.10(b) 11.10(c) 11.10(d) 11.10(e) 11.10(f) 11.10(g) 11.10(h) 11.10(i) 11.10(j) 11.10(k) 11.10(k)(1) 11.10(k)(2) 11.300(e) |
| US FedRAMP R4 | CA-1 |
| US FedRAMP R4 (low) | CA-1 |
| US FedRAMP R4 (moderate) | CA-1 |
| US FedRAMP R4 (high) | CA-1 |
| US FedRAMP R4 (LI-SaaS) | CA-1 |
| US FedRAMP R5 (source) | CA-1 |
| US FedRAMP R5 (low) (source) | CA-1 |
| US FedRAMP R5 (moderate) (source) | CA-1 |
| US FedRAMP R5 (high) (source) | CA-1 |
| US FedRAMP R5 (LI-SaaS) (source) | CA-1 |
| US HIPAA HICP Large Practice | 9.L.C |
| US IRS 1075 | CA-1 PM-10 |
| US NISPOM 2020 | 8-200 8-201 8-202 8-303 8-610 |
| US TSA / DHS 1580/82-2022-01 | III.F III.F.1 III.F.2.a III.F.2.b |
| US - CA CCPA 2025 | 7123(c)(4)(C) |
| US - TX DIR Control Standards 2.0 | CA-1 PM-10 |
| US - TX TX-RAMP Level 1 | CA-1 |
| US - TX TX-RAMP Level 2 | CA-1 |
EMEA (13)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 9.8 |
| EMEA EU EBA GL/2019/04 | 3.4.6(41) 3.4.6(42) 3.4.6(43) 3.4.6(43)(a) 3.4.6(43)(b) 3.4.6(44) 3.4.6(45) 3.4.6(46) 3.4.6(47) 3.4.6(48) 3.6.2(70) |
| EMEA EU NIS2 Annex | 6.5.1 6.5.2(a) 6.5.3 |
| EMEA Austria | Sec 14 Sec 15 |
| EMEA Belgium | 16 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 7.11 |
| EMEA Israel CDMO 1.0 | 10.6 16.5 17.1 17.16 17.18 |
| EMEA Qatar PDPPL | 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-5-2 2-15-2 4-1-5 4-2-3 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-4-1-2 |
| EMEA Saudi Arabia SACS-002 | TPC-51 |
| EMEA South Africa | 19 60 |
| EMEA UK DEFSTAN 05-138 | 1205 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0027 ISM-0280 ISM-1525 |
| APAC India SEBI CSCRF | ID.AM.S4 PR.AA.S16 |
| APAC New Zealand HISF 2022 | HHSP68 HML67 HSUP59 |
| APAC New Zealand HISF Suppliers 2023 | HSUP59 |
| APAC New Zealand NZISM 3.6 | 2.2.5.C.01 4.4.4.C.01 4.4.5.C.01 4.4.5.C.02 4.4.5.C.03 4.4.5.C.04 4.4.6.C.01 4.4.7.C.01 4.4.7.C.02 4.4.8.C.01 4.4.8.C.02 4.4.8.C.03 4.4.8.C.04 4.4.9.C.01 4.4.10.C.01 4.4.11.C.01 4.4.12.C.01 4.4.12.C.02 4.4.12.C.03 4.4.12.C.04 4.4.12.C.05 |
| APAC Singapore MAS TRM 2021 | 5.1.2 5.4.1 5.4.2 5.4.3 5.4.4 5.6.1 5.6.2 5.6.3 5.7.1 5.7.2 |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 5.14 |
| Americas Canada OSFI B-13 | 2.4.4 |
| Americas Canada ITSP-10-171 | 03.12.01 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to facilitate the implementation of cybersecurity and data protection assessment and authorization controls.
Level 1 — Performed Informally
Information Assurance (IA) is ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Pre-production security testing is decentralized.
- IT personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/ or contractual requirements for pre-production cybersecurity and data protection control testing.
Level 2 — Planned & Tracked
Information Assurance (IA) is requirements-driven and governed at a local/regional level, but not consistently across the enterprise. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for pre-production cybersecurity and data protection control testing.
- IT personnel implement and maintain an established a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/ or contractual requirements for pre-production cybersecurity and data protection control testing.
- IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- Business process owners (BPOs) are made aware of cybersecurity and data protection risk(s).
- IAP controls are primarily administrative in nature (e.g., policies & standards) to manage technical controls for cybersecurity and data protection requirements.
- IAP testing results in a formal risk assessment where BPOs are required to make a decision to (1) reduce, (2) avoid, (3) transfer and/ or (4) accept risk(s) on behalf of the organization.
Level 3 — Well Defined
Information Assurance (IAO) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for Information Assurance (IA) practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for IA.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to IA.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data protection program, including IA.
- Cybersecurity personnel implement and maintain an established Information Assurance Program (IAP) capability to conduct “business as usual” pre-production cybersecurity and data protection control testing focused on the concept of “security and data protection be design and by default.”
- The IAP validates that systems/applications/services/processes are both secure and compliant.
- A Project Management Office (PMO), or project management function, ensures project involvement for IAP as part of the organization's established project management processes.
- A Plan of Action and Milestones (POA&M) or similar mechanism, exists to document planned remediation actions to correct weaknesses or deficiencies noted during the assessment of the security controls, helping to reduce or eliminate known vulnerabilities.
- Administrative processes prevent systems/applications/services/processes from “going live” in a production environment without first going through the IAP process.
- The IAP uses a tiered approach to conformity testing, based on (1) the sensitivity of data that is stored, processed and/ or transmitted and (2) the criticality of the system/application/service/process.
- Business Process Owners (BPOs) are made aware of cybersecurity and data protection risk(s).
- IAP controls are primarily administrative in nature (e.g., policies & standards) to manage technical controls for cybersecurity and data protection requirements.
- IAP testing results in a formal risk assessment where BPOs are required to make a decision to (1) reduce, (2) avoid, (3) transfer and/ or (4) accept risk(s) on behalf of the organization.
Level 4 — Quantitatively Controlled
Information Assurance (IA) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in the review process for proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of cybersecurity and data protection assessment and authorization controls.
Assessment Objectives
- IAO-01_A01 an Information Assurance (IA) process is implemented for conducting cybersecurity / data privacy testing, training and monitoring activities associated with systems, applications and services.
- IAO-01_A02 the Information Assurance (IA) program is organization-wide.
- IAO-01_A03 the authorization processes are integrated into an organization-wide Risk Management Program (RMP).
- IAO-01_A04 the cybersecurity / data privacy security state of organizational systems and the environments in which those systems operate are managed through authorization processes.
- IAO-01_A05 individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process.
- IAO-01_A06 information assurance management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
- IAO-01_A07 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support information assurance management operations.
- IAO-01_A08 responsibility and authority for the performance of information assurance management-related activities are assigned to designated personnel.
- IAO-01_A09 personnel performing information assurance management-related activities have the skills and knowledge needed to perform their assigned duties.
Evidence Requirements
- E-IAO-01 Information Assurance Program (IAP)
-
Documented evidence of a Information Assurance Program (IAP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Information Assurance
Technology Recommendations
Micro/Small
- Controls Validation Testing (CVT)
Small
- Controls Validation Testing (CVT)
Medium
- Controls Validation Testing (CVT)
- Information Assurance (IA) program
- VisibleOps security management
Large
- Controls Validation Testing (CVT)
- Information Assurance (IA) program
- VisibleOps security management
Enterprise
- Controls Validation Testing (CVT)
- Information Assurance (IA) program
- VisibleOps security management