Doc:NIST SP 800-53Ar1 FPD Appendix H
APPENDIX H
ASSESSMENT CASES
WORKED EXAMPLES OF [ASSESSOR ACTIONS DERIVED FROM ASSESSMENT PROCEDURES
To provide assessors with additional tools and techniques for implementing the assessment procedures in Appendix F, NIST initiated the Assessment Case Development Project.[1] The purpose of the project is threefold: (i) actively engage experienced assessors from multiple organizations in recommending assessment cases that describe specific assessor actions to implement the assessment procedures in Appendix F; (ii) provide organizations and the assessors supporting those organizations with an exemplary set of assessment cases for each assessment procedure in Appendix F; and (iii) provide a vehicle for ongoing community-wide review of and comment on the assessment cases to promote continuous improvement in the security control assessment process for more consistent, effective, and cost-effective security assessments of federal information systems. The assessment case development process is described in this appendix and several examples of assessment cases are provided.
Assessment Case Description and Template
The concept of assessment cases emerged during the development process of Special Publication 800-53A. Some organizations prefer the flexibility offered by the generalized assessment procedures in Appendix F, with the opportunity to tailor the procedures for specific organizational requirements and operational environments and to create specific assessor actions and activities for a particular security assessment. Other organizations prefer a more prescriptive approach and desire, to the greatest extent possible, a predefined set of specific assessor actions and activities needed to successfully carry out a security assessment. To facilitate the specificity of the latter approach while maintaining the flexibility of the former approach, assessment cases have been developed for all assessment procedures in Appendix F of this document.
An assessment case represents a worked example of an assessment procedure, identifying the specific actions that an assessor might carry out during the assessment of a security control or control enhancement in an information system. There is one assessment case per control, covering all assessment objectives from the assessment procedure in Appendix F for that control (both base control and all enhancements). The assessment case provides an example by experienced assessors of a potential set of specific assessor action steps to accomplish the assessment that were developed with consideration for the list of potential assessment methods and objects, and incorporating the level of coverage and depth to be applied and the specific purpose to be achieved by each assessor action. This additional level of detail in the assessment cases provides assessors with more prescriptive assessment information. Yet, while being more prescriptive, the assessment cases are not intended to restrict assessor flexibility provided as part of the design principles in Special Publication 800-53A. The assessor remains responsible for making the specified determinations and for providing adequate rationale for the determinations made.
The following template is used to create the specific assessment cases for the assessment procedures in Appendix F.
| ASSESSMENT CASE | |
|---|---|
| AA-N | Security Control Name |
| ASSESSMENT — Base Control, Part 1 of x (where x is the number of assessment objectives) | |
| Assessment Information from Special Publication 800-53A | |
| This section contains the determinations and potential assessment methods and objects from Special Publication 800-53A, with a separate row for each unique determination. The numbering in the column to the left associates a unique number with each specific determination. This numbering is used to link the assessor action steps below to the determinations. | |
| AA-N.1 | Determine if: |
| AA-N.1.1 | (i) <determination statement 1>. |
| ... | ... |
| AA-N.1.n | (n) <determination statement n>. |
| |
| Additional Assessment Case Information | |
| This section contains the additional information provided by the assessment case to help the assessor in planning and conducting the security control assessment. | |
| |
| This section provides some initial suggestions with regard to sequencing of assessor actions for greater efficiency. Precursor controls are those controls whose assessment is likely to provide information either assisting in, or required for, the assessment of this control. Concurrent controls are those controls whose assessment is likely to require the assessor to assess similar objects and hence, the assessor may be able to obtain evidence for multiple control assessments at the same time. Successor controls are those controls whose assessment will likely need, or benefit from, information obtained from the assessment of this control. | |
| Action Step | Potential Assessor Evidence Gathering Actions |
| Each step is numbered to align with a specific determination statement above. | Suggested assessor action (Examine, Interview, or Test) is identified, along with a likely set of objects to which that action would be applied. As the title of this column indicates, each action step does not necessarily result in a determination. Rather collectively, the set of assessor action steps aligned with a specific determination above provide the evidence necessary to make that determination. |
| AA-N.1.1.1 | [<Assessment Method> <Assessment Object(s)] |
| ... | ... |
| AA-N.1.1.m | [<Assessment Method> <Assessment Object(s)] |
| |
Cautionary Note |
| The assessment cases developed for this project are not the only acceptable assessment cases; rather, the cases represent one possible set of assessor actions for organizations (and assessors supporting those organizations) to use in helping to determine the effectiveness of the security controls employed within the information systems undergoing assessments. The following assessment procedure for security control AC-3, illustrates how assessment cases are developed from the template on the preceding page. The assessment cases and any ongoing updates to the cases, will be published regularly on the FISMA Implementation Project web site at http://csrc.nist.gov/sec-cert. |
ASSESSMENT CASE EXAMPLE
| ASSESSMENT CASE | ||
|---|---|---|
| MP-2 | Media Access | |
| ASSESSMENT — Base Control | ||
| Assessment Information from Special Publication 800-53A | ||
| ASESSMENT OBJECTIVE: | ||
| MP-2.1 | Determine if: | |
| MP-2.1.1 MP-2.1.1a MP-2.1.1b MP-2.1.1c |
| |
| ... | ... | |
| MP-2.1.2 | (ii) the organization restricts access to organization-defined information system media to organization-defined authorized individuals using organization-defined security measures. | |
| ||
| Additional Assessment Case Information | ||
| ||
| General notes to assessor for MP-2: The focus of this control is the organization restricting access to information system media, and not whether the media is allowed to be used (which is covered under AC-19). | ||
| This section provides some initial suggestions with regard to sequencing of assessor actions for greater efficiency. Precursor controls are those controls whose assessment is likely to provide information either assisting in, or required for, the assessment of this control. Concurrent controls are those controls whose assessment is likely to require the assessor to assess similar objects and hence, the assessor may be able to obtain evidence for multiple control assessments at the same time. Successor controls are those controls whose assessment will likely need, or benefit from, information obtained from the assessment of this control. | ||
| Action Step | Potential Assessor Evidence Gathering Actions | |
| MP-2.1.1a.1 | Examine information system media protection policy and procedures, access control policy and procedures, physical and environmental protection policy and procedures, or other relevant documents (e.g., system security plan) reviewing for what the organization has defined as the digital and non-digital media requiring restricted access. | |
| MP-2.1.1b.1 | Examine information system media protection policy and procedures, access control policy and procedures, physical and environmental protection policy and procedures, or other relevant documents (e.g., system security plan) reviewing for what the organization has defined as individuals authorized to access the media identified in MP-2.1.1a.1. | |
| MP-2.1.1c.1 | Examine information system media protection policy and procedures, access control policy and procedures, physical and environmental protection policy and procedures, or other relevant documents (e.g., system security plan) reviewing for what the organization has defined as measures to be taken for the access of media identified in MP-2.1.1a.1. | |
| MP-2.1.2.1 | Examine an agreed-upon representative sample of media access control records or other relevant records for an agreed-upon representative sample of information system media types identified in MP-2.1.1a.1; reviewing for evidence that the measures identified in MP-2.1.1c.1 are implemented as intended. | |
| MP-2.1.2.2 | Examine an agreed-upon representative sample of operations at media storage facilities and other relevant areas; observing for indication that the measures identified in MP-2.1.1c.1 are implemented as intended. | |
| MP-2.1.2.3 | Examine an agreed-upon representative sample of operations at media storage facilities and other relevant areas; inspecting for indication that the measures identified in MP-2.1.c.1 are implemented as intended. | |
| MP-2.1.2.4 | Interview an agreed-upon representative sample of organizational personnel identified in MP-2.1.1b.1 with information system media protection responsibilities; conducting focused discussions for further evidence that the measures identified in MP-2.1.1c.1 are implemented as intended. Note to assessor: To facilitate testing of this control, there should be an identified list of storage areas (e.g., identified in the security plan) where the system intends to apply the MP-2 control, and it is assumed that such designated storage areas that either house large concentrations of information system media (e.g., server rooms, communication centers) or house particularly important media with regard to potential impacts if not adequately protected. | |
| ASSESSMENT — Control Enhancement 1 | ||
| Assessment Information from Special Publication 800-53A | ||
| ASESSMENT OBJECTIVE: | ||
| MP-2(1).1 | Determine if: | |
| MP-2(1).1.1 | (i) the organization employs automated mechanisms to restrict access to media storage areas; and | |
| MP-2(1).1.2 | (ii) the organization employs automated mechanisms to audit access attempts and access granted to media storage areas. | |
| ||
| Additional Assessment Case Information | ||
| ||
| This section provides some initial suggestions with regard to sequencing of assessor actions for greater efficiency. Precursor controls are those controls whose assessment is likely to provide information either assisting in, or required for, the assessment of this control. Concurrent controls are those controls whose assessment is likely to require the assessor to assess similar objects and hence, the assessor may be able to obtain evidence for multiple control assessments at the same time. Successor controls are those controls whose assessment will likely need, or benefit from, information obtained from the assessment of this control. | ||
| Action Step | Potential Assessor Evidence Gathering Actions | |
| MP-2(1).1.1.1 | Examine information system media protection policy and procedures, access control policy and procedures, physical and environmental protection policy and procedures, security plan, or other relevant documents; reviewing for the automated mechanisms and configuration settings to be employed to restrict access to designated media storage areas. | |
| MP-2(1).1.1.2 | Examine documentation describing the current configuration settings for an agreed-upon specific sample of automated mechanisms identified in MP-2(1).1.1.1; reviewing for indication that the mechanisms are configured as identified in MP-2(1).1.1.1. | |
| MP-2(1).1.1.3 | Examine an agreed-upon specific sample of media storage facilities; observing for indication that the mechanisms identified in MP-2(1).1.1.1 are implemented as intended. | |
| MP-2(1).1.1.4 | Examine an agreed-upon specific sample of media storage facilities; inspecting for indication that the mechanisms identified in MP-2(1).1.1.1 are implemented as intended. | |
| MP-2(1).1.1.5 | Test an agreed-upon specific sample of automated mechanisms identified in MP-2(1).1.1.1; conducting focused testing for evidence that the mechanisms operate as intended. | |
| MP-2(1).1.2.1 | Examine information system media protection policy and procedures, audit and accountability policy and procedures, physical and environmental protection policy and procedures, security plan, or other relevant documents; reviewing for the automated mechanisms and configuration settings to be employed to audit access attempts and access granted to media access areas. | |
| MP-2(1).1.2.2 | Examine documentation describing the current configuration settings for an agreed-upon specific sample of automated mechanisms identified in MP-2(1)1.2.1; reviewing for indication that the mechanisms are configured as identified in MP-2(1).1.2.1. Note to assessor: Consideration for selecting the specific sample include: selected audit and accountability policies (access attempts/access granted), how many media storage areas should be included in the sample, and how many instances of access attempts are to be examined. | |
| MP-2(1).1.2.3 | Test an agreed-upon specific sample of automated mechanisms identified in MP-2(1).1.2.1; conducting focused testing for evidence that the mechanisms operate as intended. Note to assessor: See note for MP-2(1).1.2.2 above. | |
| ASSESSMENT — Control Enhancement 2 | ||
| Assessment Information from Special Publication 800-53A | ||
| ASESSMENT OBJECTIVE: | ||
| MP-2(2).1 | Determine if the information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media. | |
| ||
| Additional Assessment Case Information | ||
| ||
| Action Step | Potential Assessor Evidence Gathering Actions | |
| MP-2(2).1.1.1 | Examine information system media protection policy and procedures, audit and accountability policy and procedures, physical and environmental protection policy and procedures, security plan, or other relevant documents; reviewing for required use of the cryptographic mechanisms and the configuration settings to be employed to protect and restrict access to information on portable digital media. | |
| MP-2(2).1.1.2 | Examine documentation describing the current configuration settings for an agreed-upon specific sample of automated mechanisms identified in MP-2(1)1.2.1; reviewing for indication that the mechanisms are configured as identified in MP-2(2).1.1.1. Note to assessor: Consideration for selecting the specific sample include: selected audit and accountability policies (access attempts/access granted), how many media storage areas should be included in the sample, and how many instances of access attempts are to be examined. | |
| MP-2(2).1.1.3 | Test an agreed-upon specific sample of automated mechanisms identified in MP-2(2).1.1.2; conducting focused testing for evidence that the mechanisms operate as intended. Note to assessor: See note for MP-2(2).1.1.2 above. | |
Footnotes
- ↑ 48 NIST initiated the Assessment Case Development Project in October 2007 in cooperation with the Departments of Justice, Energy, Transportation, and the Intelligence Community. The interagency task force developed a full suite of assessment cases based on the assessment procedures provided in Special Publication 800-53A. The assessment cases are available to all public and private sector organizations and can be downloaded from the NIST web site at http://csrc.nist.gov/sec-cert.
