NIST SP 800-53A Appendix I
APPENDIX G
SECURITY ASSESSMENT REPORTS
DOCUMENTING THE FINDINGS FROM SECURITY CONTROL ASSESSMENTS
The primary purpose of the security assessment report is to convey the results of the security assessment to appropriate organizational officials.62 [1] The security assessment report provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any weaknesses or deficiencies in the security controls.63 [2] This appendix provides a template for reporting the results from security control assessments. Organizations are not restricted to the specific template format; however, it is anticipated that the overall report of an assessment will include similar information to that detailed in the template for each security control assessed, preceded by a summary providing the list of all security controls assessed and the overall status of each control.
Key Elements for Assessment Reporting
The following elements should be included in security assessment reports:
- Information System Name and Impact Level
- Site(s) Assessed and Assessment Date(s)
- Security Control or Control Enhancement and Associated Supplemental Guidance
- For Each Assessment Objective (determination statements):
- Assessment Methods and Objects
- Assessment Finding Summary (indicating satisfied or other than satisfied)
- Assessor Comments (weaknesses or deficiencies noted)
- Assessor Recommendations (remediation, corrective actions, or improvements)
The Assessment Findings
Each determination statement executed by an assessor results in one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). Consider the following example for security control CP-1. The assessment procedure for CP-1 consists of two assessment objectives denoted CP-1.1 and CP-1.2. The assessor initially executes CP-1.1 and produces the following findings:
| CP-1.1 | ASSESSMENT OBJECTIVE: Determine if: (i) the organization develops and documents contingency planning policy and procedures; (S) (ii) the organization disseminates contingency planning policy and procedures to appropriate elements within the organization; (O) (iii) responsible parties within the organization periodically review contingency planning policy and procedures; and (S) (iv) the organization updates contingency planning policy and procedures when organizational review indicates updates are required. (O) Comments and Recommendations: CP-1.1(ii) is marked as other than satisfied because there was insufficient evidence to determine if the following two of the ten identified organizational elements on the distribution list for the contingency planning policy and procedures actually had received the policy and procedures: (i) organization physical security office; and (ii) organization finance and accounting office. Straightforward remediation action recommended of providing necessary documentation to the two organizational elements not receiving the policy and procedures. CP-1.1 (iv) is marked as other than satisfied because over fifty percent of the contingency planning policy and procedure documents identified as requiring updates had not in fact been updated. Significant remediation action is recommended to correct clear process deficiencies. |
In a similar manner, the assessor executes CP-1.2 and produces the following findings:
| CP-1.2 | ASSESSMENT OBJECTIVE: Determine if: (i) the contingency planning policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; (S) (ii) the contingency planning policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and (S) (iii) the contingency planning procedures address all areas identified in the contingency planning policy and address achieving policy-compliant implementations of all associated contingency planning controls. (O) Comments and Recommendations: CP-1.2(iii) is marked as other than satisfied because the assessment team could not make a determination. The entire suite of updated contingency planning procedures (identified in CP- 1.1(iv) finding) was unavailable and therefore, the sufficiency of contingency planning policy coverage could not be determined. Further investigation is needed. |
During an actual security control assessment, the assessment findings, comments, and recommendations would be documented on the Security Assessment Reporting Form provided in this appendix.
Sample Security Assessment Reporting Form
To help organizations collect, organize, and report the findings of individual security control assessments for the information system, a sample reporting form is provided below. This sample reporting form is illustrative and is intended to be used for each security control and control enhancement included in the security control assessment. The form is not intended to limit the flexibility of organizations in determining the most appropriate presentation of assessment findings for the purposes of a given security control assessment.
| SAMPLE SECURITY ASSESSMENT REPORTING FORM | |
| SECTION I: INFORMATION SYSTEM AND ASSESSMENT INFORMATION | |
| Information System Name | Impact Level Low, Moderate, High |
| Site(s) Assessed | Assessment Date(s) |
| SECTION II: SECURITY CONTROL INFORMATION | |
| Security Control or Control Enhancement Insert text from security control or control enhancement being assessed as stated in, or as referenced by the approved system security plan. | |
| Supplemental Guidance Associated with Security Control or Control Enhancement Insert text from the supplemental guidance from the security control or control enhancement being assessed as stated in, or as referenced by the approved system security plan. | |
| SECTION III: ASSESSMENT FINDINGS | |
| Assessment Objective Identify assessment objective (e.g., CP-1.1, associated with the security control or control enhancement described above). |
|
| Determination Statements See determination statements below which restate the determinations from the assessment objective, as tailored for this security control assessment (e.g., including organization-specific information, where appropriate). |
Finding (S/O) |
| Determination Statement |
|
| Determination Statement |
|
| Determination Statement |
|
| Determination Statement |
|
| Assessment Methods and Objects Identify assessment methods and assessment objects as tailored for this assessment (e.g., the specific version of a specification examined and the nature of the examination performed). | |
| SECTION IV: ASSESSOR COMMENTS AND RECOMMENDATIONS | |
| Assessor Comments Explanation of weaknesses or deficiencies noted for each finding of other than satisfied. Comments may also be included in this section regarding evidence used to support findings of satisfied. | |
| Assessor Recommendations Recommendations for remediation, corrective actions, or improvements in security control implementation or operation. | |
Footnotes
- ↑ The security assessment report is included in the security accreditation package along with the information system security plan (including updated risk assessment), and the plan of action and milestones to provide authorizing officials with the information necessary to make credible, risk-based decisions on whether to place an information system into operation or continue its operation. As the security certification and accreditation process becomes more dynamic in nature, relying to a greater degree on the continuous monitoring aspects of the process as an integrated and tightly coupled part of the system development life cycle, the ability to update the security assessment report frequently becomes a critical aspect of an information security program. It is important to emphasize the relationship, described in NIST Special Publication 800-37, among the three key documents in the accreditation package (i.e., the system security plan including risk assessment, the security assessment report, and the plan of action and milestones). It is these documents that provide the best indication of the overall security status of the information system and the ability of the system to protect, to the degree necessary, the organization's operations and assets, individuals, other organizations, and the Nation. Updates to these key documents should be provided on an ongoing basis in accordance with the continuous monitoring program established by the organization.
- ↑ While the rationale for each determination made is a part of the formal Security Assessment Report, the complete set of records produced as a part of the assessment is likely not included in the report. However, organizations should retain the portion of these records necessary for maintaining an audit trail of assessment evidence, facilitating reuse of evidence as appropriate, and promoting repeatability of assessor actions.
