Doc:NIST SP 800-53Ar1 FPD Appendix G

From FISMApedia
Jump to: navigation, search




The primary purpose of the security assessment report is to convey the results of the security assessment to appropriate organizational officials. The security assessment report is included in the security authorization package along with the security plan (including an updated risk assessment), and the plan of action and milestones to provide authorizing officials with the information necessary to make credible, risk-based decisions on whether to place an information system into operation or continue its operation. As the security assessment and authorization process becomes more dynamic in nature, relying to a greater degree on the continuous monitoring aspects of the process as an integrated and tightly coupled part of the system development life cycle, the ability to update the security assessment report frequently becomes a critical aspect of an information security program.

It is important to emphasize the relationship, described in Special Publication 800-37, among the three key documents in the authorization package (i.e., the security plan, the security assessment report, and the plan of action and milestones). It is these documents that provide the most reliable indication of the overall security state of the information system and the ability of the system to protect to the degree necessary, the organization's operations and assets, individuals, other organizations, and the Nation. Updates to these key documents are provided on an ongoing basis in accordance with the continuous monitoring program established by the organization.

The security assessment report provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any weaknesses or deficiencies in the security controls.[1] This appendix provides a template for reporting the results from security control assessments. Organizations are not restricted to the specific template format; however, it is anticipated that the overall report of an assessment will include similar information to that detailed in the template for each security control assessed, preceded by a summary providing the list of all security controls assessed and the overall status of each control.

Key Elements for Assessment Reporting

The following elements are included in security assessment reports:[2]

  • Information system name;
  • Security categorization;
  • Site (S) assessed and assessment date (S);
  • Assessor's name/identification;
  • Previous assessment results (if reused);
  • Security control or control enhancement designator;
  • Selected assessment methods and objects;
  • Depth and coverage attributes values;
  • Assessment finding summary (indicating satisfied or other than satisfied);
  • Assessor comments (weaknesses or deficiencies noted);
  • Assessor recommendations (priorities, remediation, corrective actions, or improvements)

The Assessment Findings Each determination statement executed by an assessor results in one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). Consider the following example for security control CP-2. The assessment procedure for CP-2 consists of two assessment objectives denoted CP-2.1 and CP-2.2. The assessor initially executes CP-2.1 and produces the following findings:

Determine if:

(i) the organization develops a contingency plan for the information system that:

  • identifies essential missions and business functions and associated contingency requirements; (S)
  • provides recovery objectives, restoration priorities, and metrics; (S)
  • addresses contingency roles, responsibilities, assigned individuals with contact information; (O)
  • addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (S)
  • addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; (S) and
  • is reviewed and approved by designated officials within the organization; (O)

(ii) the organization defines key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan; (O) and (iii) the organization distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements. (S)

Comments and Recommendations:
CP-2.1 (i) is marked as other than satisfied because the contingency plan prepared by the organization did not assign individuals to contingency roles and provide contact information. There was also no evidence that the contingency plan had been reviewed and approved by designated organizational officials.
CP-2.1 (iii) is marked as other than satisfied because the organization had not distributed copies of the contingency plan to key contingency personnel and organizational elements critical to executing the plan..

In a similar manner, the assessor executes CP-2.2 and produces appropriate findings. During an actual security control assessment, the assessment findings, comments, and recommendations are documented on a Security Assessment Reporting Form. Organizations are encouraged to develop standard templates for reporting that contain the key elements for assessment reporting described above. Whenever possible, automation is used to make assessment data collection and reporting cost-effective, timely, and efficient.


  1. 46 While the rationale for each determination made is a part of the formal Security Assessment Report, the complete set of records produced as a part of the assessment is likely not included in the report. However, organizations retain the portion of these records necessary for maintaining an audit trail of assessment evidence, facilitating reuse of evidence as appropriate, and promoting repeatability of assessor actions.
  2. 47 Information available in other key organizational documents (e.g., security plan, risk assessment, plan of action and milestones, or security assessment plan) need not be duplicated in the security assessment report.