NIST SP 800-53A Appendix J
APPENDIX J
ASSESSMENT CASES
WORKED EXAMPLES OF ASSESSOR ACTIONS DERIVED FROM ASSESSMENT PROCEDURES
To provide assessors with additional tools and techniques for implementing the assessment procedures in Appendix F, NIST initiated the Assessment Case Development Project.64 [1] The purpose of the project is threefold: (i) actively engage experienced assessors from multiple organizations in recommending assessment cases that describe specific assessor actions to implement the assessment procedures in Appendix F; (ii) provide organizations and the assessors supporting those organizations with an exemplary set of assessment cases for each assessment procedure in Appendix F; and (iii) provide a vehicle for ongoing community-wide review of and comment on the assessment cases to promote continuous improvement in the security control assessment process for more consistent, effective, and cost-effective security assessments of federal information systems. The assessment case development process is described in this appendix and several examples of assessment cases are provided.
Assessment Case Description and Template
The concept of assessment cases emerged during the development process of NIST Special Publication 800-53A. Some organizations prefer the flexibility offered by the generalized assessment procedures in Appendix F, with the opportunity to tailor the procedures for specific organizational requirements and operational environments and to create specific assessor actions and activities for a particular security assessment. Other organizations prefer a more prescriptive approach and desire, to the greatest extent possible, a predefined set of specific assessor actions and activities needed to successfully carry out a security assessment. To facilitate the specificity of the latter approach while maintaining the flexibility of the former approach, assessment cases have been developed for all assessment procedures in Appendix F of this document.
An assessment case represents a worked example of an assessment procedure, identifying the specific actions that an assessor might carry out during the assessment of a security control or control enhancement in an information system. There is one assessment case per control, covering all assessment objectives from the assessment procedure in Appendix F for that control (both base control and all enhancements). The assessment case provides an example by experienced assessors of a potential set of specific assessor action steps to accomplish the assessment that were developed with consideration for the list of potential assessment methods and objects, along with impact-level designations, and incorporating the level of coverage and depth to be applied and the specific purpose to be achieved by each assessor action. This additional level of detail in the assessment cases provides assessors with more prescriptive assessment information. Yet, while being more prescriptive, the assessment cases are not intended to restrict assessor flexibility provided as part of the design principles in NIST Special Publication 800-53A. The assessor remains responsible for making the specified determinations and for providing adequate rationale for the determinations made.
The following template is used to create the specific assessment cases for the assessment procedures in Appendix F.
| ASSESSMENT CASE | ||
| AA-N | Security Control Name | |
| ASSESSMENT – Base Control, Part 1 of x (where x is the number of assessment objectives) | ||
| Assessment Information from Special Publication 800-53A | ||
| This section contains the determinations and potential assessment methods and objects from NIST Special Publication 800-53A, with a separate row for each unique determination. The numbering in the column to the left associates a unique number with each specific determination. This numbering is used to link the assessor action steps below to the determinations. | ||
| AA-N.1 | Determine if: | |
| AA-N.1.1 | (i) <determination statement 1>. | |
| ... | ... | |
| AA-N.1.n | (n) <determination statement n>. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: <object-list>]. Interview: [SELECT FROM: <object-list>]. Test: [SELECT FROM: <object-list>]. | ||
| Additional Assessment Case Information | ||
| This section contains the additional information provided by the assessment case to help the assessor in planning and conducting the security control assessment. | ||
| POTENTIAL ASSESSMENT SEQUENCING: PRECURSOR CONTROLS: <security-control-list> CONCURRENT CONTROLS: <security-control-list> SUCCESSOR CONTROLS: <security-control-list> | ||
| This section provides some initial suggestions with regard to sequencing of assessor actions for greater efficiency. Precursor controls are those controls whose assessment is likely to provide information either assisting in, or required for, the assessment of this control. Concurrent controls are those controls whose assessment is likely to require the assessor to assess similar objects and hence, the assessor may be able to obtain evidence for multiple control assessments at the same time. Successor controls are those controls whose assessment will likely need, or benefit from, information obtained from the assessment of this control. | ||
| Action Step | Applicability | Potential Assessor Evidence Gathering Actions |
| Each step is numbered to align with a specific determination statement above. | Recommended applicability based on impact level of the system under assessment. | Suggested assessor action (Examine, Interview, or Test) is identified, along with a likely set of objects to which that action would be applied. As the title of this column indicates, each action step does not necessarily result in a determination. Rather collectively, the set of assessor action steps aligned with a specific determination above provide the evidence necessary to make that determination. |
| AA-N.1.1.1 | [L M H] | [<Assessment Method> <Assessment Object(s)] |
| ... | ... | ... |
| AA-N.1.1.m | [L M H] | [<Assessment Method> <Assessment Object(s)] |
| Legend AA: Alphanumeric characters representing security control family in NIST Special Publication 800-53. N: Numeric character representing the security control number within the family of controls. n: Number of determination statements in the assessment object. m: Number of action steps associated with a specific determination statement. | ||
| Cautionary Note The assessment cases developed for this project are not the only acceptable assessment cases; rather, the cases represent one possible set of assessor actions for organizations (and assessors supporting those organizations) to use in helping to determine the effectiveness of the security controls employed within the information systems undergoing assessments. The following assessment procedure for security control AC-3, illustrates how assessment cases are developed from the template on the preceding page. The assessment cases and any ongoing updates to the cases, will be published regularly on the FISMA Implementation Project web site at http://csrc.nist.gov/sec-cert. |
ASSESSMENT CASE EXAMPLE
| ASSESSMENT CASE | ||
| AC-3 | Access Enforcement | |
| ASSESSMENT – Base Control, Part 1 of 1 | ||
| Assessment Information from Special Publication 800-53A | ||
| AC-3.1 | Determine if: | |
| AC-3.1.1 | (i) the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy. | |
| AC-3.1.2 | (ii) user privileges on the information system are consistent with the documented user authorizations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system configuration settings and associated documentation; list of assigned authorizations (user privileges); information system audit records; other relevant documents or records]. (L) (M) (H) Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy]. (M) (H) | ||
| Additional Assessment Case Information | ||
| POTENTIAL ASSESSMENT SEQUENCING: PRECURSOR CONTROLS: AC-1, AC-2, AC-4, AC-5, AC-6, AU-9, CM-5, CM-6, MA-5, MA-3(4), MA-4, SA-7, SI-9. CONCURRENT CONTROLS: MP-2. SUCCESSOR CONTROLS: NONE. | ||
| Action Step | Applicability | Potential Assessor Evidence Gathering Actions |
| General note to assessor for AC-3: The focus of this control is the information system having mechanisms that: (i) have the capability to enforce access authorizations (access restrictions); and (ii) are configured in compliance with the intended user authorizations (assigned authorizations). In order for AC-3.1.1 to receive a satisfied determination, it cannot be completed unless AC-3.1.2 is also satisfied. In the context of this assessment case, assigned authorizations” is synonymous with “applicable policy”. Documented user (and process) authorizations may also be found in concurrent controls. | ||
| AC-3.1.1.1 | L M H | Examine access control policy, procedures addressing access enforcement, information system design documentation, information system security plan, or other relevant documents; reviewing for the mechanisms to be employed to enforce assigned authorizations for controlling access to the system. Note to Assessor: This assessor action is to identify the mechanisms that should exist and the parameters the mechanisms should enforce; not to assess the validity of assigned authorizations. |
| AC-3.1.1.2 | L M H | Examine an agreed-upon, representative sample of mechanisms identified in AC-3.1.1.1; inspecting for indication that the mechanisms identified in AC- 3.1.1.1 are employed. |
| AC-3.1.1.2 | L M H | Examine an agreed-upon, representative sample of information system configuration settings for the sample of mechanisms examined in AC- 3.1.1.2; reviewing to verify that the user privileges on the information system are consistent with the documented user authorizations. |
| AC-3.1.2.2 | M H | Test the sample of automated mechanisms identified in AC-3.1.1.2; conducting generalized testing to verify that the user privileges on the information system are consistent with the documented user authorizations. Note to Assessor: It is recommended that assessor action step AC-3(1).1.3.2 is executed concurrent with this assessor action for efficiency. |
| ASSESSMENT – Control Enhancement 1 | ||
| Assessment Information from Special Publication 800-53A | ||
| AC-3(1).1 | Determine if: | |
| AC-3(1).1.1 | (i) the organization explicitly defines privileged functions and security-relevant information for the information system. | |
| AC-3(1).1.2 | (ii) the organization explicitly authorizes personnel access to privileged functions and security-relevant information in accordance with organizational policy. | |
| AC-3(1).1.3 | (iii) the information system restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel (e.g., security administrators). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; list of privileged functions and security relevant information; information system configuration settings and associated documentation; list of assigned authorizations (user privileges); information system audit records; other relevant documents or records]. (M) (H) Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy]. (H) | ||
| Additional Assessment Case Information | ||
| POTENTIAL ASSESSMENT SEQUENCING: PRECURSOR CONTROLS: NONE. CONCURRENT CONTROLS: NONE. SUCCESSOR CONTROLS: NONE. | ||
| Action Step | Applicability | Potential Assessor Evidence Gathering Actions |
| AC-3(1).1.1.1 | M H | Examine organization access control policy, procedures addressing access enforcement, list of privileged functions and security relevant information, information system security plan, or other relevant documents; reviewing for the identification of privileged functions and security-relevant information for the information system. Note to Assessor: Privileged functions include system control, monitoring, or administration functions. |
| AC-3(1).1.2.1 | M H | Examine an agreed-upon, representative sample of access authorization documentation; reviewing for the explicit authorizations to the functions and information identified in AC-3(1).1.1.1. |
| AC-3(1).1.3.1 | M H | Examine an agreed-upon, representative sample of information system settings related to access control; reviewing for indication that the information system is configured to enforce the authorizations identified in AC-3(1).1.2.1. Note to Assessor: Examples of settings related to access control are: contents of access control lists, privileges associated with roles, assignment of users to roles, assignment of privileges to user accounts, etc. |
| AC-3(1).1.3.2 | H | Test an agreed-upon, representative sample of automated mechanisms implementing the access enforcement policy for privileged users and security-relevant information; conducting generalized testing to verify that access to the privileged functions and security-relevant information identified in AC-3(1).1.1.1 is restricted in accordance with the authorizations identified in AC-3(1).1.2.1. Note to Assessor: It is recommended that assessor action step AC-3.1.2.2 is executed concurrent with this assessor action for efficiency. |
| ASSESSMENT – Control Enhancement ICS-1 (For Industrial Control Systems) | ||
| Assessment Information from Special Publication 800-53A | ||
| AC-3(ICS-1).1 | Determine if: | |
| AC-3(ICS-1).1.1 | (i) the organization explicitly defines privileged functions for the ICS that have impacts on facility, public, and environmental safety; and | |
| AC-3(ICS-1).1.2 | (ii) the organization develops and approves procedures addressing dual authorization requirements for the ICS. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement and dual authorization; list of privileged functions for ICS; ICS configuration settings and associated documentation; list of assigned authorizations (user privileges); ICS audit records; other relevant documents or records]. (M) (H) Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy]. (H) | ||
| Additional Assessment Case Information | ||
| POTENTIAL ASSESSMENT SEQUENCING: PRECURSOR CONTROLS: NONE. CONCURRENT CONTROLS: IA-2. SUCCESSOR CONTROLS: NONE. | ||
| Action Step | Applicability | Potential Assessor Evidence Gathering Actions |
| General note to assessor for AC-3(ICS-1): The focus of this control enhancement is the Industrial Control System (ICS) requiring dual authorization to perform privileged functions that may have impacts on facility, public, and environmental safety; except where such dual authorization might result in such impact. | ||
| AC-3(ICS-1).1.1.1 | M H | Examine information system security plan, access control policy, procedures addressing access enforcement and dual authorization, or other relevant documents; reviewing for the list of privileged functions for the ICS that have impacts on facility, public, and environmental safety and for those functions within this list for which requiring dual authorization might result in such impact. |
| AC-3(ICS-1).1.2.1 | M H | Examine information system security plan, access control policy, procedures addressing access enforcement and dual authorization, or other relevant documents; reviewing for evidence that the organization develops and approves procedures addressing dual authorization requirements for the functions identified in AC-3(ICS-1).1.1.1. |
| AC-3(ICS-1).1.3.1 | M H | Examine information system security plan, information system design documents, or other relevant documents; reviewing for the mechanisms and the configuration settings to be employed to address the dual authorization requirements identified in AC-3(ICS-1).1.2.1. |
| AC-3(ICS-1).1.3.2 | M H | Examine an agreed-upon, representative sample of the mechanisms identified in AC-3(ICS-1).3.1; reviewing for indication that the mechanisms are configured as identified in AC-3(ICS-1).3.1. |
| AC-3(ICS-1).1.3.3 | H | Test an agreed-upon, representative sample of the mechanisms identified in AC-3(ICS-1).3.1; conducting generalized testing to verify that the mechanisms function as intended. |
Footnotes
- ↑ NIST initiated the Assessment Case Development Project in October 2007 in cooperation with the Departments of Justice, Energy, Transportation, and the Intelligence Community. The interagency task force developed a full suite of assessment cases based on the assessment procedures provided in NIST Special Publication 800-53A. The assessment cases are available to all public and private sector organizations and can be downloaded from the NIST web site at http://csrc.nist.gov/sec-cert.
