Skip to main content

Security Controls Assessment (SCA)

A compliance-based assessment to determine if a system's security and privacy controls are implemented correctly

Contact: CSRAP Team | CSRAP@cms.hhs.gov

What is a Security Control Assessment (SCA)? 

The Security Control Assessment, formerly known as a Security Test and Evaluation (ST&E), is an evaluation of the controls protecting an information system. The SCA determines if the controls are implemented correctly, operating as intended, producing the desired outcome, and meeting the security requirements for the system.  SCA is a compliance tool, testing control requirements that are described in the CMS Acceptable Risk Safeguards (ARS).

SCA vs. CSRAP

There are two system assessments available for System/Business Owners to meet the current requirements of the ATO process: the SCA and Cybersecurity and Risk Assessment Program (CSRAP). In 2018, CMS determined that the SCA was not satisfactorily meeting modern risk assessment requirements for FISMA systems at CMS. As a result, CMS developed the current CSRAP process to provide an improved assessment model that measured risk. While CSRAP and SCA do share some similarities, CSRAP is now the assessment of choice for modern systems at CMS. Here’s why:

CSRAP is risk-driven rather than compliance-driven. CSRAP emphasizes risk identification and analysis at the Capability level and de-emphasizes technical findings and compliance with Controls.

CSRAP is capability-oriented rather than control-oriented. Capabilities state objectives, while Controls state specific implementation requirements that might help meet those objectives.

CSRAP is based on multiple Risk Information Sources (RIS). CSRAP considers all available risk data at the time of the assessment, not just the current state of Control compliance.

CSRAP is more understandable and actionable. CSRAP adds context, brings conversation to a higher level, and focuses on helping the reader determine what should be done. 

CSRAP is the next generation of assessment. CSRAP is based on updated guidance from NIST, including the  NISTIR 8011, Automation Support for Security Control Assessments. CSRAP focuses on continuous monitoring and automation, where SCA is static and compliance-driven.

Cost savings. CSRAP’s risk-based approach offers actionable findings. As a result, teams can focus their efforts on addressing system risk instead of just ticking boxes to “fix” compliance issues that may not have a meaningful impact on their system. 

Transitioning your SCA to CSRAP 

If you are a Business Owner or ISSO responsible for a system that still utilizes SCA for controls testing, it’s time to consider switching to CSRAP. CSRAP not only offers the benefits listed above, but it goes beyond the scope of an SCA to provide a risk-based analysis of your system. In fact, the information collected during your most recent SCA can be used to complete your upcoming CSRAP. 

One component of the CSRAP process is the Risk Assessment, which is an intelligent form of assessment that integrates results from available Risk Information Sources (RIS) into your test. It pulls relevant data from previous and ongoing audits and assessments, as well as data available from the Continuous Diagnostics and Mitigation (CDM) program of the CMS Cybersecurity Integration Center (CCIC). The SCA is just one of the available Risk Information Sources available to the CSRAP Team as they conduct your assessment. 

If you need more information about the Adaptive Capabilities Testing process, please review the Adaptive Capabilities Testing Handbook or reach out to the CSRAP Team to schedule your test.