tag:blogger.com,1999:blog-6141228044791599805.post4934259011266085187..comments2023-07-27T10:50:16.609-04:00Comments on How is that Assurance Evidence?: The CAGChrishttp://www.blogger.com/profile/03271557297047783414noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-6141228044791599805.post-51897180633157863622009-02-25T10:49:00.000-05:002009-02-25T10:49:00.000-05:00I haven’t yet read the CAG so I can’t comment on t...I haven’t yet read the CAG so I can’t comment on that directly – YET. <BR/><BR/>I would like to comment on the high system that you mentioned. You understandably didn’t give much information but the scoping guidelines do allow the system owner to step back some controls based upon the security objective determination. Therefore if had a moderate, moderate, high (C,I,A) system you are permitted to step back the controls that deal with confidentiality and integrity to the moderate baseline but you would still have to implement the high baseline controls for availability. Now this is also provided that you adequately document this and reference the specific tailoring guidance from 800-53 and 53A. When I’ve done this in the past I literally repeat the same verbiage for every control that is stepped back. It gets a little repetitive but it does help out in the long run. (The system is still a High system though)<BR/><BR/>More comments to come as I have time to read the CAG.Anonymousnoreply@blogger.com