Doc:NIST SP 800-53Ar1 FPD Chapter 3
CONDUCTING EFFECTIVE SECURITY CONTROL ASSESSMENTS
This chapter describes the process of assessing the security controls in organizational information systems including: (i) the activities carried out by organizations and assessors to prepare for security control assessments; (ii) the development of security assessment plans; (iii) the conduct of security control assessments and the analysis, documentation, and reporting of assessment results; and (iv) post-assessment report analysis and follow-on activities carried out by organizations.
3.1 PREPARING FOR SECURITY CONTROL ASSESSMENTS
Conducting security control assessments in today's complex environment of sophisticated information technology infrastructures and high-visibility, mission-critical applications can be difficult, challenging, and resource-intensive. Success requires the cooperation and collaboration among all parties having a vested interest in the organization's information security posture, including information system owners, common control providers, authorizing officials, chief information officers, senior information security officers, chief executive officers/heads of agencies, Inspectors General, and the OMB. Establishing an appropriate set of expectations before, during, and after the assessment is paramount to achieving an acceptable outcome — that is, producing information necessary to help the authorizing official make a credible, risk-based decision on whether to place the information system into operation or continue its operation.
Thorough preparation by the organization and the assessors is an important aspect of conducting effective security control assessments. Preparatory activities address a range of issues relating to the cost, schedule, and performance of the assessment. From the organizational perspective, preparing for a security control assessment includes the following key activities:
- Ensuring that appropriate policies covering security control assessments are in place and understood by all affected organizational elements;
- Ensuring that all steps in the RMF prior to the security control assessment step, have been successfully completed and received appropriate management oversight;
- Ensuring that security controls identified as common controls (and the common portion of hybrid controls) have been assigned to appropriate organizational entities (i.e., common control providers) for development and implementation;
- Establishing the objective and scope of the security control assessment (i.e., the purpose of the assessment and what is being assessed);
- Notifying key organizational officials of the impending security control assessment and allocating necessary resources to carry out the assessment;
- Establishing appropriate communication channels among organizational officials having an interest in the security control assessment;
- Establishing time frames for completing the security control assessment and key milestone decision points required by the organization to effectively manage the assessment;
- Identifying and selecting a competent assessor/assessment team that will be responsible for conducting the security control assessment, considering issues of assessor independence;
- Collecting artifacts to provide to the assessor/assessment team (e.g., policies, procedures, plans, specifications, designs, records, administrator/operator manuals, information system documentation, interconnection agreements, previous assessment results); and
- Establishing a mechanism between the organization and the assessor and/or assessment team to minimize ambiguities or misunderstandings about security control implementation or security control weaknesses/deficiencies identified during the assessment.
In addition to the planning activities the organization carries out in preparation for the security control assessment, assessors/assessment teams begin preparing for the assessment by:
- Obtaining a general understanding of the organization's operations (including mission, functions, and business processes) and how the information system that is the subject of the security control assessment supports those organizational operations;
- Obtaining an understanding of the structure of the information system (i.e., system architecture);
- Obtaining a thorough understanding of the security controls being assessed (including system-specific, hybrid, and common controls) together with appropriate FIPS and Special Publications that are referenced in those controls;
- Identifying the organizational entities responsible for the development and implementation of the common controls (or the common portion of hybrid controls) supporting the information system;
- Establishing appropriate organizational points of contact needed to carry out the security control assessment;
- Obtaining artifacts needed for the security control assessment (e.g., policies, procedures, plans, specifications, designs, records, administrator/operator manuals, information system documentation, interconnection agreements, previous assessment results);
- Obtaining previous assessment results that may be appropriately reused for the security control assessment (e.g., Inspector General reports, audits, vulnerability scans, physical security inspections, prior assessments, developmental testing and evaluation, vendor flaw remediation activities , ISO/IEC 15408 [Common Criteria] evaluations);
- Meeting with appropriate organizational officials to ensure common understanding for assessment objectives and the proposed rigor and scope of the assessment; and
- Developing a security assessment plan.
In preparation for the assessment of security controls, the necessary background information is assembled and made available to the assessors or assessment team. To the extent necessary to support the specific assessment, the organization identifies and arranges access to: (i) elements of the organization responsible for developing, documenting, disseminating, reviewing, and updating all security policies and associated procedures for implementing policy-compliant controls; (ii) the security policies for the information system and any associated implementing procedures; (iii) individuals or groups responsible for the development, implementation, operation, and maintenance of security controls; (iv) any materials (e.g., security plans, records, schedules, assessment reports, after-action reports, agreements, authorization packages) associated with the implementation and operation of security controls; and (v) the objects to be assessed. The availability of essential documentation as well as access to key organizational personnel and the information system being assessed are paramount to a successful assessment of the security controls.
3.2 DEVELOPING SECURITY ASSESSMENT PLANS
The security assessment plan provides the objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment. The following steps are considered by assessors in developing plans to assess the security controls in organizational information systems or inherited by those systems:
- Determine which security controls/control enhancements are to be included in the assessment based upon the contents of the security plan and the purpose/scope of the assessment;
- Select the appropriate assessment procedures to be used during the assessment based on the security controls and control enhancements that are to be included in the assessment;
- Tailor the selected assessment procedures (e.g., select appropriate assessment methods and objects, assign depth and coverage attribute values);
- Develop additional assessment procedures to address any security requirements or controls that are not sufficiently covered by Special Publication 800-53;
- Optimize the assessment procedures to reduce duplication of effort (e.g., sequencing and consolidating assessment procedures) and provide cost-effective assessment solutions; and
- Finalize the assessment plan and obtain the necessary approvals to execute the plan.
3.2.1 Determine which security controls are to be assessed.
The security plan provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements. The assessor starts with the security controls described in the security plan and considers the purpose of the assessment. A security control assessment can be a complete assessment of all security controls in the information system or inherited by the system (e.g., during an initial security authorization process) or a partial assessment of the security controls in the information system or inherited by the system (e.g., during system development, during continuous monitoring, where controls are assessed on an ongoing basis and as a result of changes affecting the controls, or where controls were previously assessed and the results accepted in the reciprocity process). For partial assessments, information system owners and common control providers collaborate with organizational officials having an interest in the assessment (e.g., senior information security officers, mission/information owners, Inspectors General, and authorizing officials) to determine which security controls are to be assessed. The selection of the security controls depends on the continuous monitoring strategy established by the information system owner or common control provider to ensure that: (i) all controls are assessed during the authorization period established by federal legislation, policies, directives, standards, and guidelines; (ii) items on the plan of action and milestones receive adequate oversight; (iii) controls with greater volatility or importance to the organization are assessed more frequently; and (iv) control implementations that have changed since the last assessment are reevaluated.
3.2.2 Select appropriate procedures to assess the security controls.
Special Publication 800-53A, Appendix F, provides an assessment procedure for each security control and control enhancement in Special Publication 800-53. For each security control and control enhancement in the security plan to be included in the assessment, assessors select the corresponding assessment procedure from Appendix F. The set of selected assessment procedures varies from assessment to assessment based on the current content of the security plan and the purpose of the security assessment (e.g., annual security control assessment, continuous monitoring).
3.2.3 Tailor assessment procedures.
In a similar manner to how the security controls from Special Publication 800-53 are tailored for the organization's mission, business functions, characteristics of the information system and operating environment, organizations tailor the assessment procedures listed in Appendix F to meet specific organizational needs. Organizations have the flexibility to perform the tailoring process at the organization level for all information systems, at the individual information system level, or using a combination of organization-level and system-specific approaches. Security control assessors determine if the organization provides additional tailoring guidance prior to initiating the tailoring process. Assessment procedures can be tailored by:
- Selecting the appropriate assessment methods and objects needed to satisfy the stated assessment objectives;
- Selecting the appropriate depth and coverage attribute values to define the rigor and scope of the assessment;
- Identifying common controls that have been assessed by a separately-documented security assessment plan, and do not require the repeated execution of the assessment procedures;
- Developing information system/platform-specific and organization-specific assessment procedures (which may be adaptations to those procedures in Appendix F);
- Incorporating assessment results from previous assessments where the results are deemed applicable; and
- Making appropriate adjustments in assessment procedures to be able to obtain the requisite assessment evidence from external providers.
Assessment method and object-related considerations —
It is recognized that organizations can specify, document, and configure their information systems in a variety of ways and that the content and applicability of existing assessment evidence will vary. This may result in the need to apply a variety of assessment methods to various assessment objects to generate the assessment evidence needed to determine whether the security controls are effective in their application. Therefore, the assessment methods and objects provided with each assessment procedure are termed potential to reflect the need to be able to choose the methods and objects most appropriate for a specific assessment. The assessment methods and objects chosen are those deemed as necessary to produce the evidence needed to make the determinations described in the determination statements. The potential methods and objects in the assessment procedure are provided as a resource to assist in the selection of appropriate methods and objects, and not with the intent to limit the selection. Organizations use their judgment in selecting from the potential assessment methods and the list of assessment objects associated with each selected method. Organizations select those methods and objects that most cost-effectively contribute to making the determinations associated with the assessment objective. The measure of the quality of assessment results is based on the soundness of the rationale provided, not the specific set of methods and objects applied. It will not be necessary, in most cases, to apply every assessment method to every assessment object to obtain the desired assessment results. And for certain assessments, it may be appropriate to employ a method not currently listed in the set of potential methods.
Depth and coverage-related considerations —
In addition to selecting appropriate assessment methods and objects, each assessment method (i.e., examine, interview, and test) has associated depth and coverage attributes that are described in Appendix D. The attribute values affect the rigor and scope of the assessment procedures executed by the assessor. The values selected by the organization are based on the characteristics of the information system being assessed and the specific determinations to be made. The depth and coverage attribute values can also be associated with the assurance requirements in Special Publication 800-53 (i.e., the rigor and scope of the assessment increases in direct relationship to the assurance requirements established by the organization).
Common control-related considerations —
Assessors note which security controls (or parts of security controls) in the security plan are designated as common controls. Since the assessment of common controls is the responsibility of the organizational entity that developed and implemented the controls (i.e., common control provider), the assessment procedures in Appendix F used to assess these controls incorporate assessment results from that organizational entity. Common controls may have been previously assessed as part of the organization's information security program or as part of an information system providing common controls inherited by other organizational systems. There may also be a separate plan to assess the common controls. In either situation, information system owners coordinate the assessment of security controls with appropriate organizational officials (e.g., chief information officer, senior information security officer, mission/ information owners, authorizing officials) obtaining the results of common control assessments or, if the common controls have not been assessed or are due to be reassessed, making the necessary arrangements to include or reference the common control assessment results in the current assessment.
Another consideration in assessing common controls is that there are occasionally system-specific aspects of a common control that are not covered by the organizational entities responsible for the common aspects of the control. These types of security controls are referred to as hybrid controls. For example, CP-2, the contingency planning security control, may be deemed a hybrid control by the organization if there is a master contingency plan developed by the organization for all organizational information systems. Following up on the initial master contingency plan, information system owners are expected to adjust, tailor, or supplement the contingency plan as necessary, when there are system-specific aspects of the plan that need to be defined for the particular system where the control is employed. For each hybrid control, assessors include in the assessment plan, the portions of the assessment procedures from Appendix F related to the parts of the control that are system-specific to ensure that, along with the results from common control assessments, all aspects of the security control are assessed.
System/platform and organization-related considerations —
The assessment procedures in Special Publication 800-53A may be adapted to address system/platform-specific or organization-specific dependencies. This situation arises frequently in the assessment procedures associated with the security controls from the technical families in Special Publication 800-53 (i.e., access control, audit and accountability, identification and authentication, system and communications protection). For example, the assessment of a UNIX implementation of the IA-2 control for identification and authentication of users might include an explicit examination of the .rhosts file for UNIX systems since improper entries in that file can result in bypassing user authentication. Recent test results may also be applicable to the current assessment if those test methods provide a high degree of transparency (e.g., what was tested, when was it tested, how was it tested). Standards-based testing protocols such as the Security Content Automation Protocol (SCAP) provide an example of how organizations can help achieve this level of transparency.
Reuse of assessment evidence-related considerations —
Reuse of assessment results from previously accepted or approved assessments are considered in the body of evidence for determining overall security control effectiveness. Previously accepted or approved assessments include: (i) those assessments of common controls that are managed by the organization and support multiple information systems; or (ii) assessments of security controls that are reviewed as part of the control implementation (e.g., CP-2 requires a review of the contingency plan).The acceptability of using previous assessment results in a security control assessment is coordinated with and approved by the users of the assessment results. It is essential that information system owners and common control providers collaborate with appropriate organizational officials in determining the acceptability of using previous assessment results. When considering the reuse of previous assessment results and the value of those results to the current assessment, assessors determine: (i) the credibility of the assessment evidence; (ii) the appropriateness of previous analysis; and (iii) the applicability of the assessment evidence to current information system operating conditions. If previous assessment results are reused, the date of the original assessment and type of assessment are documented in the security assessment plan and security assessment report. It may be necessary, in certain situations, to supplement previous assessment results under consideration for reuse with additional assessment activities to fully address the assessment objectives. For example, if an independent evaluation of an information technology product did not test a particular configuration setting that is employed by the organization in an information system, then the assessor may need to supplement the original test results with additional testing to cover that configuration setting for the current information system environment. The decision to reuse assessment results is documented in the security assessment plan and the final security assessment report and is consistent with federal legislation, policies, directives, standards, and guidelines with respect to the security control assessments.
The following items are considered in validating previous assessment results for reuse:
- Changing conditions associated with security controls over time.
Security controls that were deemed effective during previous assessments may have become ineffective due to changing conditions within the information system or its environment of operation. Assessment results that were found to be previously acceptable may no longer provide credible evidence for the determination of security control effectiveness, and therefore, a reassessment would be required. Applying previous assessment results to a current assessment necessitates the identification of any changes that have occurred since the previous assessment and the impact of these changes on the previous results. For example, reusing previous assessment results from examining an organization's security policies and procedures may be acceptable if it is determined that there have not been any significant changes to the identified policies and procedures. Reusing assessment results produced during the previous authorization of an information system is a cost-effective method for supporting continuous monitoring activities and annual FISMA reporting requirements when the related controls have not changed and there are adequate reasons for confidence in their continued application.
- Amount of time that has transpired since previous assessments.
In general, as the time period between current and previous assessments increases, the credibility/utility of the previous assessment results decreases. This is primarily due to the fact that the information system or the environment in which the information system operates is more likely to change with the passage of time, possibly invalidating the original conditions or assumptions on which the previous assessment was based.
- Degree of independence of previous assessments.
Assessor independence can be a critical factor in certain types of assessments. The degree of independence required from assessment to assessment is consistent. For example, it is not appropriate to reuse results from a previous self-assessment where no assessor independence was required, in a current assessment requiring a greater degree of independence.
External information system-related considerations —
The assessment procedures in Appendix F need to be adjusted as appropriate to accommodate the assessment of external information systems. Because the organization does not always have direct control over the security controls used in external information systems, or sufficient visibility into the development, implementation, and assessment of those controls, alternative assessment approaches may need to be applied, resulting in the need to tailor the assessment procedures described in Appendix F. Where required assurances of agreed-upon security controls within an information system or inherited by the system are documented in contracts or service-level agreements, assessors review these contracts or agreements and where appropriate, tailor the assessment procedures to assess either the security controls or the security control assessment results provided through these agreements. In addition, assessors take into account any other assessments that have been conducted, or are in the process of being conducted, for external information systems that are relied upon with regard to protecting the information system under assessment. Applicable information from these assessments, if deemed reliable, is incorporated into the security assessment report.
3.2.4 Develop assessment procedures for organization-specific security controls.
Based on organizational policies, mission or business function requirements, and an assessment of risk, organizations may choose to develop and implement additional (organization-specific) security controls or control enhancements for their information systems that are beyond the scope of Special Publication 800-53. Such security controls are documented in the security plan for the information system as controls not found in Special Publication 800-53. To assess the security controls in this situation, assessors use the guidelines in Chapter Two to develop assessment procedures for those controls and control enhancements. The assessment procedures developed are subsequently integrated into the security assessment plan.
3.2.5 Optimize selected assessment procedures to ensure maximum efficiency.
Assessors have a great deal of flexibility in organizing a security assessment plan that meets the needs of the organization and that provides the best opportunity for obtaining the necessary evidence to determine security control effectiveness, while reducing overall assessment costs. Combining and consolidating assessment procedures is one area where this flexibility can be applied. During the assessment of an information system, assessment methods are applied numerous times to a variety of assessment objects within a particular family of security controls. To save time, reduce assessment costs, and maximize the usefulness of assessment results, assessors review the selected assessment procedures for the security control families and combine or consolidate the procedures (or parts of procedures) whenever possible or practicable. For example, assessors may wish to consolidate interviews with key organizational officials dealing with a variety of security-related topics. Assessors may have other opportunities for significant consolidations and cost savings by examining all security policies and procedures from the eighteen families of security controls at the same time or organizing groups of related policies and procedures that could be examined as a unified entity. Obtaining and examining configuration settings from similar hardware and software components within the information system is another example that can provide significant assessment efficiencies.
An additional area for consideration in optimizing the assessment process is the sequence in which security controls are assessed. The assessment of some security controls before others may provide information that facilitates understanding and assessment of other controls. For example, security controls such as CM-2 (Baseline Configuration), CM-8 (Information System Component Inventory), PL-2 (System Security Plan), RA-2 (Security Categorization), and RA-3 (Risk Assessment) produce general descriptions of the information system. Assessing these security controls early in the assessment process may provide a basic understanding of the information system that can aid in assessing other security controls. The supplemental guidance of many security controls also identifies related controls that can provide useful information in organizing the assessment procedures. For example, AC-19 (Access Control for Portable and Mobile Devices) lists security controls MP-4 (Media Storage) and MP-5 (Media Transport) as being related to AC-19. Since AC-19 is related to MP-4 and MP-5, the sequence in which assessments are conducted for AC-19, MP-4, and MP-5 may facilitate the reuse of assessment information from one control in assessing other related controls.
3.2.6 Finalize security assessment plan and obtain approval to execute plan.
After selecting the assessment procedures (including developing necessary procedures not contained in the Special Publication 800-53A catalog of procedures), tailoring the procedures for information system/platform-specific and organization-specific conditions, optimizing the procedures for efficiency, and addressing the potential for unexpected events impacting the assessment, the assessment plan is finalized and the schedule is established including key milestones for the assessment process. Once the security assessment plan is completed, the plan is reviewed and approved by appropriate organizational officials to ensure that the plan is complete, consistent with the security objectives of the organization and the organization's assessment of risk, and cost-effective with regard to the resources allocated for the assessment.
3.3 CONDUCTING SECURITY CONTROL ASSESSMENTS
After the security assessment plan is approved by the organization, the assessor or assessment team executes the plan in accordance with the agreed-upon schedule. Determining the size and organizational makeup of the security assessment team (i.e., skill sets, technical expertise, and assessment experience of the individuals composing the team) is part of the risk management decisions made by the organization requesting and initiating the assessment.
The output and end result of the security control assessment is the security assessment report, which documents the assurance case for the information system and is one of three key documents in the security authorization package developed by information system owners and common control providers for authorizing officials. The security assessment report includes information from the assessor (in the form of assessment findings) necessary to determine the effectiveness of the security controls employed within or inherited by the information system. The security assessment report is an important factor in an authorizing official's determination of risk. Organizations may choose to develop an assessment summary from the detailed findings that are generated by the assessor during the security control assessment. An assessment summary can provide an authorizing official with an abbreviated version a of Security Assessment Report focusing on the highlights of the assessment, synopsis of key findings, and/or recommendations for addressing weaknesses and deficiencies in the security controls. Appendix G provides additional information on the recommended content of security assessment reports.
Assessment objectives are achieved by applying the designated assessment methods to selected assessment objects and compiling/producing the evidence necessary to make the determination associated with each assessment objective. Each determination statement contained within an assessment procedure executed by an assessor produces one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). A finding of satisfied indicates that for the portion of the security control addressed by the determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control has been met producing a fully acceptable result. A finding of other than satisfied indicates that for the portion of the security control addressed by the determination statement, the assessment information obtained indicates potential anomalies in the operation or implementation of the control that may need to be addressed by the organization. A finding of other than satisfied may also indicate that for reasons specified in the assessment report, the assessor was unable to obtain sufficient information to make the particular determination called for in the determination statement. For assessment findings that are other than satisfied, organizations may choose to define subcategories of findings indicating the severity and/or criticality of the weaknesses or deficiencies discovered and the potential adverse effects on organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Defining such subcategories can help to establish priorities for needed risk mitigation actions.
Assessor findings are an unbiased, factual reporting of what was found concerning the security control assessed. For each finding of other than satisfied, assessors indicate which parts of the security control are affected by the finding (i.e., aspects of the control that were deemed not satisfied or were not able to be assessed) and describe how the control differs from the planned or expected state. The potential for compromises to confidentiality, integrity, and availability due to other than satisfied findings are also noted by the assessor in the security assessment report. This notation reflects the lack of a needed protection and the degree of potential exploitation that could occur as a result (i.e. workstation, dataset, root level access). Risk determination and acceptance activities are conducted by the organization post assessment as part of the risk management strategy established by the organization. These risk management activities involve the senior leadership of the organization including for example, heads of agencies, mission/business owners, information owners/stewards, risk executive (function), and authorizing officials, in consultation with appropriate organizational support staff (e.g., senior information security officers, chief information officers, information system owners, common control providers, and assessors). Security control assessment results are documented at the level of detail appropriate for the assessment in accordance with the reporting format prescribed by organizational policy, NIST guidelines, and OMB policy. The reporting format is appropriate for the type of security control assessment conducted (e.g., self-assessments by information system owners and common control providers, independent verification and validation, independent assessments supporting the security authorization process, or independent audits or inspections).
Information system owners and common control providers rely on the security expertise and the technical judgment of assessors to: (i) assess the security controls in the information system and inherited by the system; and (ii) provide recommendations on how to correct weaknesses or deficiencies in the controls and reduce or eliminate identified vulnerabilities. The assessment results produced by the assessor (i.e., findings of satisfied or other than satisfied, identification of the parts of the security control that did not produce a satisfactory result, and a description of resulting potential for compromises to the information system or its environment of operation) are provided to information system owners and common control providers in the initial security assessment report. System owners and common control providers may choose to act on selected recommendations of the assessor before the security assessment report is finalized if there are specific opportunities to correct weaknesses or deficiencies in security controls or to correct and/or clarify misunderstandings or interpretations of assessment results. Security controls that are modified, enhanced, or added during this process are reassessed by the assessor prior to the production of the final security assessment report.
3.4 ANALYZING SECURITY ASSESSMENT REPORT RESULTS
Since results of the security control assessment ultimately influence the content of the security plan and the plan of action and milestones, information system owners and common control providers review the security assessment report and the updated risk assessment and with the concurrence of designated organizational officials (e.g., authorizing officials, chief information officer, senior information security officer, mission/information owners), determine the appropriate steps required to correct weaknesses and deficiencies identified during the assessment. By using the labels of satisfied and other than satisfied, the reporting format for the assessment findings provides visibility for organizational officials into specific weaknesses and deficiencies in security controls within the information system or inherited by the system and facilitates a disciplined and structured approach to mitigating risks in accordance with organizational priorities. For example, information system owners or common control providers in consultation with designated organizational officials, may decide that certain assessment findings marked as other than satisfied are of an inconsequential nature and present no significant risk to the organization. Conversely, system owners or common control providers may decide that certain findings marked as other than satisfied are significant, requiring immediate remediation actions. In all cases, the organization reviews each assessor finding of other than satisfied and applies its judgment with regard to the severity or seriousness of the finding and whether the finding is significant enough to be worthy of further investigation or remedial action.
Senior leadership involvement in the mitigation process may be necessary in order to ensure that the organization's resources are effectively allocated in accordance with organizational priorities, providing resources first to the information systems that are supporting the most critical and sensitive missions for the organization or correcting the deficiencies that pose the greatest degree of risk. Ultimately, the security control assessment findings and any subsequent mitigation actions (informed by the updated risk assessment) initiated by information system owners or common control providers in collaboration with designated organizational officials trigger updates to the key documents used by authorizing officials to determine the security status of the information system and its suitability for authorization to operate. These documents include the security plan with updated risk assessment, security assessment report, and plan of actions and milestones.
Figure 2 provides an overview of the security control assessment process including the activities carried out during pre-assessment, assessment, and post-assessment.
- 24 Actions to be accomplished in the execution of the RMF prior to the assess security controls step include: (i) categorizing the information system and developing a security plan that includes the selection of security controls for the system; (ii) assessing this plan for completeness, correctness, and compliance with federal and organizational requirements; (iii) appropriate organizational officials approving the plan; and (iv) implementing the security controls called out in the plan. The security plan assessment represents, along with verification that appropriate officials have approved the plan, the assessment of security control PL-2. The assessment of security control PL-2 provides key information to be used by authorizing officials in their determination whether or not to approve the security plan, and hence represent assessment activity that is completed prior to the formal security controls assessment step in the RMF.
- 25 Security control assessments include common controls that are the responsibility of organizational entities other than the information system owner inheriting the controls or hybrid controls where there is shared responsibility among the system owner and designated organizational entities.
- 26 Typically, these individuals include authorizing officials, information system owners, common control providers, mission and information owners/stewards (if other than the information system owner), chief information officers, senior information security officers, Inspectors General, information system security officers, users from organizations that the information system supports, and assessors.
- 27 Information system owners and organizational entities developing, implementing, and/or administering common controls (i.e., common control providers) are responsible for providing needed information to assessors.
- 28 In situations where there are multiple security assessments ongoing or planned within an organization, access to organizational elements, individuals, and artifacts supporting the assessments is centrally managed by the organization to ensure a cost-effective use of time and resources.
- 29 Partial assessments of security controls can be conducted in the initial phases of system development life cycle to promote early detection of weakness and deficiencies and a more cost-effective approach to risk mitigation.
- 30 Special Publication 800-37 provides guidance on continuous monitoring as part of the risk management process.
- 31 The selection of assessment methods and objects (including the number and type of assessment objects) can be a significant factor in cost-effectively meeting the assessment objectives.
- 32 Common controls support multiple information systems within the organization and the protection measures provided by those controls are inherited by the individual systems. Therefore, the organization determines the appropriate set of common controls to ensure that both the strength of the controls (i.e., security capability) and level of rigor and intensity of the control assessments are commensurate with the criticality and/or sensitivity of the individual information systems inheriting those controls.
- 33 If assessment results are not currently available for the common controls, the assessment plans for the information systems under assessment that depend on those controls are duly noted. The assessments cannot be considered complete until the assessment results for the common controls are made available to information system owners.
- 34 An external information system is an information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. Special Publications 800-37 and 800-53 provide additional guidance on external information systems and the effect of employing security controls in those types of environments.
- 35 Security control assessment sequencing is also addressed in the assessment cases described in Appendix I.
- 36 Organizations establish a security assessment plan approval process with the specific organizational officials (e.g., information systems owners, common control providers, information system security officers, senior information security officers, authorizing officials) designated as approving authorities.
- 37 In accordance with Special Publication 800-37, the security authorization package consists of the security plan (including the risk assessment), the security assessment report, and the plan of action and milestones (POAM).
- 38 The correction of weaknesses or deficiencies in security controls or carrying out of selected recommendations during the review of the initial security assessment report by information system owners or common control providers is not intended to replace the formal risk mitigation process by the organization which occurs after the delivery of the final report. Rather, it provides the information system owner or common control provider with an opportunity to address weaknesses or deficiencies that may be quickly corrected. However, in situations where limited resources exist for remediating weaknesses and deficiencies discovered during the security control assessment, organizations may decide without prejudice that waiting for the risk assessment to prioritize remediation efforts is the better course of action.