| Field | Detail |
|---|---|
| Control ID | CA-01 |
| Control Name | Policy and Procedures |
| Framework | NIST SP 800-53 Revision 5 |
| Control Family | Assessment, Authorization, and Monitoring |
| Baselines | LOW, MODERATE, HIGH, PRIVACY |
| Implementation Level | Organization |
| Relevance | First Party and Third Party |
| Risk Severity | Low |
What this control requires
CA-01 requires your organization to create, maintain, and distribute a formal policy and procedures for assessing, authorizing, and monitoring information systems. That first sentence sounds straightforward, but most teams stumble not on writing the policy itself but on keeping it connected to the risk management strategy that should drive every decision the policy encodes. Understanding the full scope of NIST SP 800-53 helps clarify why this foundational control exists.
Specifically, those obligations break into three distinct requirements. First, you need a documented policy that covers purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with applicable laws and regulations. Second, you need procedures that translate that policy into repeatable, auditable steps. Third, you need a designated official responsible for developing, disseminating, and periodically updating both the policy and procedures.
In practice, this control also requires you to define what triggers an update. Audit findings, security incidents, and changes in legal or regulatory requirements should all prompt a review cycle. NIST is explicit that restating controls verbatim won’t satisfy this requirement, and auditors will flag that gap quickly. The NIST SP 800-53 control index provides the full catalog your policy must operationalize.
Why it matters
Most organizations treat policy documents as a checkbox exercise, writing them once during initial certification and forgetting them until an auditor asks. That approach creates a quiet but persistent compliance risk, and it doesn’t get better on its own.
Without a current, enforced CA-01 policy, every other control in the assessment, authorization, and monitoring family lacks a governance anchor. Procedures drift from actual practice, roles go unassigned after personnel changes, and the organization loses the ability to demonstrate management commitment during an audit.
Failure to maintain this control introduces audit risk and may result in certification withdrawal or regulatory findings. Because CA-01 sits at the organization level and spans all baselines, a deficiency here can cascade into findings across multiple control families. For federal agencies, a missing or outdated policy can delay authorization to operate, stalling system deployments until the governance gap is resolved.
Where this breaks down most often is coordination. The official guidance emphasizes that security and privacy programs should collaborate on developing assessment and monitoring policies. When those teams don’t coordinate, you end up with parallel governance structures that contradict each other, creating confusion during audits and leaving gaps in how systems are authorized.
Gaps in CA-01 compliance create the following exploitable conditions:
- Audit non-conformance resulting in delayed or denied authorization to operate
- Regulatory exposure when policies don’t reflect current legal requirements, for example updates to information security compliance obligations
- Role ambiguity causing gaps in accountability for assessment and monitoring activities
- Stale procedures that no longer match operational reality, leading to inconsistent evidence
- Vendor oversight gaps where third-party assessment practices aren’t governed by documented procedures
How to implement
The most common failure mode isn’t a missing policy document. It’s a policy that exists in name but was written by copying control language from the standard, signed once, and never connected to how the organization actually operates.
For your organization
Start by linking CA-01 directly to your risk management strategy, specifically what PM-09 defines. Your policy should flow from the risk decisions your leadership has already made, not exist as a standalone document.
Step 1: Designate ownership. Assign a specific official, typically the chief information security officer or a senior risk manager, as the accountable owner for policy development, dissemination, and updates. Document this designation formally.
Step 2: Draft the policy. Address each required element: purpose, scope, roles and responsibilities, management commitment, coordination among entities (for example, between security and privacy programs), and compliance with applicable laws. Organization-wide policies are preferable and can eliminate the need for system-specific versions.
Step 3: Develop procedures. Write step-by-step procedures that operationalize the policy. These procedures can live in your system security plan or as standalone documents. Each procedure should map to a specific policy statement and identify who performs the action, what evidence is produced, and how frequently.
Step 4: Disseminate and train. Distribute the policy to all relevant personnel and make sure they understand their roles. Track acknowledgment.
Step 5: Define review triggers and cadence. Set a recurring review cycle (annually is common) and document event-driven triggers: audit findings, security incidents, organizational changes, and updates to laws or directives. Use the NIST 800-53 compliance checklist to verify you haven’t missed required elements.
Common mistakes to avoid:
- Treating the policy as a static document that never reflects operational changes
- Failing to update procedures when assessment or monitoring processes evolve
- Allowing the designated official role to go vacant after personnel turnover
For your vendors
When evaluating whether a vendor meets CA-01, self-attestation alone isn’t sufficient. You need to verify that documented policies and procedures actually exist and aren’t just claimed.
Questionnaire questions to include:
- Do you maintain a documented assessment, authorization, and monitoring policy? When was it last reviewed?
- Who is the designated official responsible for policy and procedure development?
- What events trigger a policy or procedure update?
- Can you provide your current system security plan or equivalent documentation?
Evidence to request:
- The assessment, authorization, and monitoring policy document with a visible revision date
- Procedures for implementing that policy
- Evidence of the most recent review cycle (meeting minutes, approval records, or change logs)
- Documentation naming the designated official and their authority
Red flags to watch for:
- Policy documents with revision dates older than two years
- Procedures that mirror NIST control language verbatim without operational specifics
- No named individual responsible for policy management
- Inability to provide evidence of any review or update cycle
Verification beyond self-attestation: Request a copy of the actual policy and spot-check it for the required elements (purpose, scope, roles, management commitment, and compliance alignment). A vendor risk assessment that includes document review will surface gaps that questionnaires alone miss.
Evidence examples
| Evidence Type | Example Artifact |
|---|---|
| Assessment and monitoring policy | Formal policy document addressing purpose, scope, roles, responsibilities, management commitment, coordination, and legal compliance |
| Implementation procedures | Step-by-step procedures for conducting assessments, granting authorizations, and performing ongoing monitoring |
| Designated official documentation | Appointment memo or organizational chart identifying the official responsible for policy and procedure management |
| Policy review records | Review logs, meeting minutes, or approval records showing periodic and event-driven updates |
| System security plan | System security plan sections referencing assessment, authorization, and monitoring policy and procedures |
| Privacy plan | Privacy plan documenting how privacy requirements integrate with assessment and authorization activities |
| Dissemination records | Distribution logs or acknowledgment receipts confirming personnel received current policy and procedures |
Cross-framework mapping
| Framework | Control(s) | Coverage |
|---|---|---|
| ISO 27001:2022 | 5.1 Policies for information security | Partial |
| ISO 27001:2022 | 5.2 Information security roles and responsibilities | Partial |
| ISO 27001:2022 | 5.3 Segregation of duties | Partial |
| ISO 27001:2022 | 5.4 Management responsibilities | Partial |
| ISO 27001:2022 | 5.31 Legal, statutory, regulatory and contractual requirements | Partial |
| ISO 27001:2022 | 5.36 Compliance with policies, rules and standards for information security | Partial |
| ISO 27001:2022 | 5.37 Documented operating procedures | Partial |
| NIST SP 800-171 Rev 3 | 03.15.01 Policy and Procedures | Partial |
Related controls
- PM-09 — Risk Management Strategy: Defines the risk management strategy that CA-01 policies must align with and flow from
- PS-08 — Personnel Sanctions: Establishes consequences for personnel who fail to comply with the policies and procedures CA-01 requires
- SI-12 — Information Management and Retention: Governs how long policy documents, review records, and related evidence must be retained
Frequently asked questions
What is NIST SP 800-53 CA-01?
CA-01 is the NIST SP 800-53 control that requires organizations to develop, document, and maintain a formal policy and procedures for assessment, authorization, and monitoring activities. It applies across all baselines (LOW, MODERATE, HIGH, and PRIVACY) and mandates that a designated official oversee policy development, dissemination, and periodic review. It ensures that your organization’s approach to evaluating and authorizing systems is governed by documented, enforceable guidance rather than ad hoc decisions.
What happens if CA-01 is not implemented?
Failing to implement CA-01 leaves your organization without a governance anchor for every other control in the assessment, authorization, and monitoring family. Auditors will flag the absence of a documented policy, defined roles, and review cadence as a non-conformance finding. That finding can delay or prevent authorization to operate and may trigger regulatory scrutiny, particularly if your policy doesn’t reflect current legal or contractual requirements.
How do you audit CA-01?
Auditors verify CA-01 by examining the assessment, authorization, and monitoring policy for required elements: purpose, scope, roles, responsibilities, management commitment, coordination, and legal compliance. They confirm that procedures exist to implement the policy and that a designated official is named and active. Review records, dissemination logs, and the system security plan are checked to validate that updates occur at the defined frequency and in response to triggering events such as audit findings or regulatory changes.
What is the difference between a security policy and a security procedure under NIST 800-53?
A security policy defines the “what” and “why,” establishing organizational intent, scope, roles, and compliance requirements for a control family. A procedure defines the “how,” providing step-by-step instructions for carrying out the policy in practice. Under CA-01, both are required, and NIST is explicit that restating control language from the standard doesn’t satisfy either requirement. The policy sets direction, and the procedures make that direction repeatable and auditable.