View package details in CAM Workspace

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 4 minutes to read

    • Use the authorization package overview page to view the collection of all documents and evidences that helps to check the security posture of an organization.

    Before you begin

    Role required:
    • sn_irm_cont_auth.authorization_official
    • sn_irm_cont_auth.information_owner
    • sn_irm_cont_auth.info_system_sec_manager
    • sn_irm_cont_auth.info_system_sec_officer
    • sn_irm_cont_auth.sec_control_assessor
    • sn_irm_cont_auth.system_owner
    • sn_irm_cont_auth.scheduler
    • sn_irm_cont_auth.system_user
    • sn_irm_cont_auth.admin
    • sn_irm_cont_auth.executive_read

    Procedure

    1. Navigate to All > CAM Workspace.
    2. To navigate to the Lists page, select the lists icon (Lists icon).
    3. From the Authorization packages in the RMF list on the left pane, select an authorization package record on the right pane.
      The stepper component displays the current state of the package, and the roadmap to reach the Monitor state.

      A short GIF showing an Authorization package overview page widgets.

      Compliance summary
      Displays the total number of controls contained in this package. Breakup counts of inherited control and not applicable controls of the package are also displayed. The Controls implemented contain the percentage of controls in the Monitor state.
      Control allocation
      Controls grouped by family and categorized as system specific and hybrid.
      Overview
      Displays the total count of Controls, Control tests, and POA&Ms and their status.
      Details
      More granular details of controls in control requirement widget, control tests details in assessment procedures widget.
    4. Select the sidebar icon (Sidebar icon).
      The Highlighted details section displays:
      • The privacy sensitive system status of the package.
      • The link to the boundary, if selected, helps you to navigate to the authorization boundary to which this package is associated.
      • The Impact card shows the confidentiality, integrity, and availability status of the package, based on which the Impact of the package is determined.
      • The users who have a key role to play in updating the authorization package are also listed.
    5. To view the relationship between the selected authorization package and all its associated objects in a distinct visualization, select 360° view.
      360° view is added in the Overview pages of Authorization Boundary, Authorization Package, Control, Control objective, Control overlays, Control test, Test template, Test plan, Engagements, and in the Details pages of Indicator, Indicator Template, and POA&Ms.

      360° view of all the elements associated with the authorization package.

    6. Select Generate SSP to generate System Security Plan (SSP).
      You can also generate ATO artifact reports such as Security Assessment Report (SAR) and Plan of Actions and Milestones (POA&Ms) by selecting the more actions icon (More actions icon).

      For more information on CAM ATO artifacts, see Generate ATO artifacts for an authorization package.

    7. To generate OSCAL SSP, select the Export OSCAL SSP option from the more actions icon (More actions icon).
      For more information, see CAM supports export of Catalog, Profile, and SSP in OSCAL format and Generate zip files and export data in OSCAL format.
    8. To move to the previous step of the authorization package and to update any details, select the Back to previous step option from the more actions icon (More actions icon).
      All actions that are done when you moved to the current state are reversed if you opt the Back to previous step action. For example, if the package is in Implement state, then when it moves back to Select state all the existing controls that are generated are retired. In the Select state, you can revisit the baseline controls and take necessary actions if required. However, this operation can only be done by a Continuous Authorization and Monitoring administrator (sn_irm_cont_auth.admin).
    9. To view the controls related to the authorization package, select the Controls related list.
      1. Select a control from the list.
        In Continuous Authorization and Monitoring application, you can view the control's allocation category in the header of the control's Overview page. Control allocation is either System specific or Hybrid.
      2. Select the sidebar icon (Sidebar icon) to view the NIST reference details.
      3. Select the Details related list.
        The family to which the control objective of the control belongs can be known by the Family and Family ID fields. These fields are read only in the Control form.

        The Control allocation list in the authorization package overview page displays the controls grouped by their families segregated into system specific and hybrid.

    10. To inherit the requirements for a baseline control, select only one control objective in the Baseline Controls tab.
      You must have one self implemented requirement and the remaining requirements can be inherited from common control providers.

      The package must be in Select state. Only common control providers with control requirements can be used to create hybrid controls.

      1. Select Create Hybrid.
        The Create Hybrid Control popup lists the packages in groups.

        Create hybrid control popup.

      2. Enter a package in the Authorization Package (Optional) field.
        You can enter all the packages that you require, from which you can select the requirements.
      3. Select the requirements from the package groupings, leaving one or more requirements for self implementation for that control.
        You are creating a hybrid control, for which the requirement is inherited from the package that you selected.
      4. Select Add.
    11. To navigate to the associated control objective, select the link to the control objective in the sidebar.
      The Reference for the control objective, sourced by NIST, is captured as Source ID in the header of the control objective.

      The controls are grouped as a Family, and abbreviated with an ID that is defined as Family ID. These fields are editable and help you to identify the group to which the control belongs and are used in the Control allocation section for reporting purpose. The content for Family and Family ID is updated based on NIST 800-53. For more information, see Control requirement details in the CAM view of Control objective and Control forms.

      1. Select the Related control objectives related list.
        All control objectives that have an impact in the implementation of the package but belong to different families are grouped as Related control objectives. These control objectives are sourced by NIST. All related controls in a package based on the mapped control objectives are linked as Related control objectives.

        Related controls related list contains controls from the related control objective with the same entity.

      2. To add related control objectives, select Add.
      3. Select the control objectives and select Add.
        The list shows those control objectives that are not already added to the related control objectives list of the package.