Doc:NIST SP 800-53Ar1 FPD Appendix G
SECURITY ASSESSMENT REPORTS
DOCUMENTING THE FINDINGS FROM SECURITY CONTROL ASSESSMENTS
The primary purpose of the security assessment report is to convey the results of the security assessment to appropriate organizational officials. The security assessment report is included in the security authorization package along with the security plan (including an updated risk assessment), and the plan of action and milestones to provide authorizing officials with the information necessary to make credible, risk-based decisions on whether to place an information system into operation or continue its operation. As the security assessment and authorization process becomes more dynamic in nature, relying to a greater degree on the continuous monitoring aspects of the process as an integrated and tightly coupled part of the system development life cycle, the ability to update the security assessment report frequently becomes a critical aspect of an information security program.
It is important to emphasize the relationship, described in Special Publication 800-37, among the three key documents in the authorization package (i.e., the security plan, the security assessment report, and the plan of action and milestones). It is these documents that provide the most reliable indication of the overall security state of the information system and the ability of the system to protect to the degree necessary, the organization's operations and assets, individuals, other organizations, and the Nation. Updates to these key documents are provided on an ongoing basis in accordance with the continuous monitoring program established by the organization.
The security assessment report provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any weaknesses or deficiencies in the security controls. This appendix provides a template for reporting the results from security control assessments. Organizations are not restricted to the specific template format; however, it is anticipated that the overall report of an assessment will include similar information to that detailed in the template for each security control assessed, preceded by a summary providing the list of all security controls assessed and the overall status of each control.
Key Elements for Assessment Reporting
- Information system name;
- Security categorization;
- Site (S) assessed and assessment date (S);
- Assessor's name/identification;
- Previous assessment results (if reused);
- Security control or control enhancement designator;
- Selected assessment methods and objects;
- Depth and coverage attributes values;
- Assessment finding summary (indicating satisfied or other than satisfied);
- Assessor comments (weaknesses or deficiencies noted);
- Assessor recommendations (priorities, remediation, corrective actions, or improvements)
The Assessment Findings Each determination statement executed by an assessor results in one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). Consider the following example for security control CP-2. The assessment procedure for CP-2 consists of two assessment objectives denoted CP-2.1 and CP-2.2. The assessor initially executes CP-2.1 and produces the following findings:
|CP-2.1|| ASSESSMENT OBJECTIVE:
In a similar manner, the assessor executes CP-2.2 and produces appropriate findings. During an actual security control assessment, the assessment findings, comments, and recommendations are documented on a Security Assessment Reporting Form. Organizations are encouraged to develop standard templates for reporting that contain the key elements for assessment reporting described above. Whenever possible, automation is used to make assessment data collection and reporting cost-effective, timely, and efficient.
- 46 While the rationale for each determination made is a part of the formal Security Assessment Report, the complete set of records produced as a part of the assessment is likely not included in the report. However, organizations retain the portion of these records necessary for maintaining an audit trail of assessment evidence, facilitating reuse of evidence as appropriate, and promoting repeatability of assessor actions.
- 47 Information available in other key organizational documents (e.g., security plan, risk assessment, plan of action and milestones, or security assessment plan) need not be duplicated in the security assessment report.