HOME

CA-2 (3)

CA-2 (3) H M
Description

The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].

FedRAMP
  • H CA-2 (3)-1 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-2 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-3 [the conditions of the JAB/AO in the FedRAMP Repository]
  • M CA-2 (3)-1 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-2 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-3 [the conditions of the JAB/AO in the FedRAMP Repository]
DISA Cloud Computing SRG

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG

Supplemental Guidance

Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives.