NIST SP 800-53A Appendix E

From FISMApedia
Jump to: navigation, search

APPENDIX E

ASSESSMENT EXPECTATIONS

EXPECTATIONS OF SECURITY CONTROL ASSESSMENTS BY IMPACT LEVEL

The following section establishes the expectations for security control assessments based on the assurance requirements defined in NIST Special Publication 800-53. The assessment expectations provide assessors with important reference points for the level of assurance (i.e., grounds for confidence) needed for the determination of security control effectiveness. The use of bolded text in the assurance requirements and assessment objectives in this section indicates additions to the requirements and objectives that appear for the first time at a particular information system impact level.


LOW-IMPACT INFORMATION SYSTEMS

Assurance Requirement: The security control is in effect and meets explicitly identified functional requirements in the control statement.

Supplemental Guidance: For security controls in low-impact information systems, the focus is on the controls being in place with the expectation that no obvious errors exist and that, as flaws are discovered, they are addressed in a timely manner.

Assessment Expectations: Interviews, examinations, and tests are conducted at a level of depth and coverage sufficient to demonstrate that the security control is implemented and free of obvious errors.53 [1]

Assessment Objectives:

For specifications:

  • Determine if the specification exists.
  • Determine if the specification, as written, has no obvious inconsistencies with the functional requirements in the security control and no obvious internal errors.

For mechanisms:

  • Determine if the mechanism is implemented and operational.
  • Determine if the mechanism, as implemented, has no obvious inconsistencies with the functional requirements in the security control and no obvious implementation errors.

For activities:

  • Determine if the activity is being performed.
  • Determine if the activity, as performed, has no obvious inconsistencies with the functional requirements in the security control and no obvious execution errors.


MODERATE-IMPACT INFORMATION SYSTEMS

Assurance Requirement: The security control is in effect and meets explicitly identified functional requirements in the control statement. The control developer/implementerprovides a description of the functional properties of the control with sufficient detail to permit analysis and testing of the control. The control developer/implementer includes as an integral part of the control, assigned responsibilities and specific actions supporting increased confidence that when the control is implemented, it will meet its required function or purpose. These actions include, for example, requiring the development of records with structure and content suitable to facilitate making this determination.

Supplemental Guidance: For security controls in moderate-impact information systems, the focus is on actions supporting increased confidence in the correct implementation and operation of the control. While flaws are still likely to be uncovered (and addressed expeditiously), the control developer/implementer incorporates, as part of the control, specific capabilities and produces specific documentation supporting increased confidence that the control meets its required function or purpose. This documentation is also needed by assessors to analyze and test the functional properties of the control as part of the overall assessment of the control.

Assessment Expectations: Interviews, examinations, and tests are conducted at a level of depth and coverage sufficient to demonstrate that the security control is implemented and free of obvious errors, and that there are increased grounds for confidence that the security control is implemented correctly and operating as intended.54 [2]

Assessment Objectives:

For specifications:

  • Determine if the specification exists.
  • Determine if the specification, as written, has no obvious inconsistencies with the functional requirements in the security control and no obvious internal errors.
  • Determine if the organization provides an assignment of responsibilities, specific actions, and appropriate documentation to support increased grounds for confidence that the specification is complete, internally consistent, correct, and meets its required function or purpose.
  • Determine if the organization identifies and documents anomalies or problems with the application or use of the specification.

For mechanisms:

  • Determine if the mechanism is implemented and operational.
  • Determine if the mechanism, as implemented, has no obvious inconsistencies with the functional requirements in the security control and no obvious implementation errors.
  • Determine if the organization provides an assignment of responsibilities, specific actions, and appropriate documentation to support increased grounds for confidence that the mechanism is implemented correctly, operating as intended, and meets its required function or purpose.
  • Determine if the organization identifies and documents anomalies or problems with the implementation or operation of the mechanism.

For activities:

  • Determine if the activity is being performed.
  • Determine if the activity, as performed, has no obvious inconsistencies with the functional requirements in the security control and no obvious execution errors.
  • Determine if the organization provides an assignment of responsibilities, specific actions, and appropriate documentation to support increased grounds for confidence that the activity is being performed correctly and meets its required function or purpose.
  • Determine if the organization identifies and documents anomalies or problems with the conduct or execution of the activity.


HIGH-IMPACT INFORMATION SYSTEMS

Assurance Requirement: The security control is in effect and meets explicitly identified functional requirements in the control statement. The control developer/implementer provides a description of the functional properties and design/implementation of the control with sufficient detail to permit analysis and testing of the control (including functional interfaces among control components). The control developer/implementer includes as an integral part of the control, assigned responsibilities and specific actions supporting increased confidence that when the control is implemented, it will continuously and consistently (i.e., across the information system) meet its required function or purpose and support improvement in the effectiveness of the control. These actions include, for example, requiring the development of records with structure and content suitable to facilitate making this determination.

Supplemental Guidance: For security controls in high-impact information systems, the focus is expanded to require, within the control, the capabilities that are needed to support ongoing consistent operation of the control and continuous improvement in the control's effectiveness. The developer/implementer is expected to expend significant effort on the design, development, implementation, and component/integration testing of the controls and to produce associated design and implementation documentation to support these activities. This documentation is also needed by assessors to analyze and test the internal components of the control as part of the overall assessment of the control.

Assessment Expectations: Interviews, examinations, and tests are conducted at a level of depth and coverage sufficient to demonstrate that the security control is implemented and free of obvious errors and that there are further increased grounds for confidence that the security control is implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control.55 [3]

Assessment Objectives:

For specifications:

  • Determine if the specification exists.
  • Determine if the specification, as written, has no obvious inconsistencies with the functional requirements in the security control and no obvious internal errors.
  • Determine if the organization provides an assignment of responsibilities, specific actions, and appropriate documentation to support increased grounds for confidence that the specification is complete, internally consistent, correct, and meets its required function or purpose.
  • Determine if the organization identifies and documents anomalies or problems with the application or use of the specification.
  • Determine if the organization applies the specification consistently across the information system.
  • Determine if the organization supports improvement in the effectiveness of the specification by taking specific actions to correct identified deficiencies.

For mechanisms:

  • Determine if the mechanism is implemented and operational.
  • Determine if the mechanism, as implemented, has no obvious inconsistencies with the functional requirements in the security control and no obvious implementation errors.
  • Determine if the organization provides an assignment of responsibilities, specific actions, and appropriate documentation to support increased grounds for confidence that the mechanism is implemented correctly, operating as intended, and meets its required function or purpose.
  • Determine if the organization identifies and documents anomalies or problems with the implementation or operation of the mechanism.
  • Determine if the organization implements the mechanism consistently across the information system.
  • Determine if the organization supports improvement in the effectiveness of the mechanism by taking specific actions to correct identified deficiencies.

For activities:

  • Determine if the activity is being performed.
  • Determine if the activity, as performed, has no obvious inconsistencies with the functional requirements in the security control and no obvious execution errors.
  • Determine if the organization provides an assignment of responsibilities, specific actions, and appropriate documentation to support increased grounds for confidence that the activity is being performed correctly and meets its required function or purpose.
  • Determine if the organization identifies and documents anomalies or problems with the conduct or execution of the activity.
  • Determine if the organization performs the activity consistently across the information system.
  • Determine if the organization supports improvement in the effectiveness of the activity by taking specific actions to correct identified deficiencies.

ADDITIONAL REQUIREMENTS TO SUPPLEMENT MODERATE- AND HIGH-IMPACT INFORMATION SYSTEMS

Assurance Requirement: The security control is in effect and meets explicitly identified functional requirements in the control statement. The control developer/implementer provides a description of the functional properties and design/implementation of the control with sufficient detail to permit analysis and testing of the control. The control developer/implementer includes as an integral part of the control, actions supporting increased confidence that when the control is implemented, it will continuously and consistently (i.e., across the information system) meet its required function or purpose and support improvement in the effectiveness of the control. These actions include requiring the development of records with structure and content suitable to facilitate making this determination. The control is developed in a manner that supports a high degree of confidence that the control is complete, consistent, and correct. Supplemental Guidance: The additional high assurance requirements are intended to supplement the minimum assurance requirements for the moderate and high baselines, when appropriate, in order to protect against threats from highly skilled, highly motivated, and well-financed threat agents. This level of protection is necessary for those information systems where the organization is not willing to accept the risks associated with the type of threat agents cited above.

Table E-1 provides a summary of the assessment expectations for low-impact, moderate-impact, and high-impact information systems.

TABLE E-1: ASSESSMENT EXPECTATIONS BY INFORMATION SYSTEM IMPACT LEVEL

ASSESSMENT EXPECTATIONS INFORMATION SYSTEM IMPACT LEVEL
LOW MODERATE HIGH
Security controls are in place with no obvious errors.
Increased grounds for confidence that the security controls are implemented correctly and operating as intended.
Further increased grounds for confidence that the security controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control.
Grounds for a high degree of confidence that the security controls are complete, consistent, and correct.
Beyond minimum recommendations of NIST Special Publication 800-53A 		For environments with specific and credible threat information indicating sophisticated, well-resourced threat agents and possible attacks against high-value targets.


Footnotes

  1. To define an appropriate level of rigor and intensity for low-impact information system assessments sufficient to achieve the stated assessment expectations, organizations should consider starting with depth and coverage attribute values of generalized and representative, respectively, for assessment methods employed (see Appendix D).
  2. To define an appropriate level of rigor and intensity for moderate-impact information system assessments sufficient to achieve the stated assessment expectations, organizations should consider a range of depth and coverage attribute values for assessment methods employed (see Appendix D) up to and including focused and specific, respectively.
  3. To define an appropriate level of rigor and intensity for high-impact information system assessments sufficient to achieve the stated assessment expectations, organizations should consider a range of depth and coverage attribute values for assessment methods employed (see Appendix D) up to and including detailed and comprehensive, respectively.
Retrieved from "http://fismapedia.org/index.php?title=NIST_SP_800-53A_Appendix_E&oldid=31689"