NIST SP 800-53A Chapter 2
CHAPTER TWO
THE FUNDAMENTALS
BASIC CONCEPTS ASSOCIATED WITH SECURITY CONTROL ASSESSMENTS
This chapter describes the basic concepts associated with assessing the security controls in organizational information systems including: (i) the integration of assessments into the system development life cycle; (ii) the importance of an organization-wide strategy for conducting security control assessments; (iii) the development of effective assurance cases; (iv) the format and content of assessment procedures; and (v) the use of an extended assessment procedure to help increase the grounds for confidence in the effectiveness of the security controls being assessed.
2.1 ASSESSMENTS WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE
Security assessments can be effectively carried out at various stages in the system development life cycle16 [1] to increase the grounds for confidence or assurance that the security controls employed with an information system are effective in their application. This publication provides a comprehensive set of assessment procedures to support security assessment activities during the system development life cycle. For example, security assessments should be conducted by information system developers and system integrators during the system development and acquisition phase of the life cycle to help ensure that required security controls for the system are properly designed, developed, and implemented. This assessment process is often referred to as developmental security testing and evaluation (ST&E). The assessment procedures described in Appendix F can assist in developing ST&E procedures that can be employed during the initial stages of the system development life cycle. Security assessments should also be conducted by information system owners, security officers, independent certification agents, auditors, and inspectors general during the operations and maintenance phase of the life cycle to help ensure that the security controls are effective in the operational environment where the system is deployed. Finally, at the end of the life cycle, security assessments should be conducted as part of ensuring, for example, that important organizational information is purged from the information system prior to disposal.
2.2 STRATEGY FOR CONDUCTING SECURITY CONTROL ASSESSMENTS
Organizations are encouraged to develop a broad-based, organization-wide strategy for conducting security assessments, facilitating more cost-effective and consistent assessments across the inventory of information systems. An organization-wide strategy begins by applying the initial steps of the Risk Management Framework to all information systems within the organization, with an organizational view of the security categorization process, the security control selection process, and the identification of common (inherited) security controls. Maximizing the number of common controls employed within an organization: (i) significantly reduces the cost of development, implementation, and assessment of security controls; (ii) allows organizations to centralize security control assessments and to amortize the cost of those assessments across all information systems organization-wide; and (iii) increases overall security control consistency. An aggressive, organization-wide approach to identifying common controls early in the Risk Management Framework process facilitates a more global strategy for assessing those controls and sharing essential assessment results with information system owners and authorizing officials. The sharing of assessment results among key officials across information system boundaries has many important benefits including:
- Providing the capability to review assessment results for all information systems and to make organization-wide, mission/business-related decisions on risk mitigation activities according to organizational priorities, organizational assessments of risk, and the impact levels of the information systems supporting the organization;
- Providing a more global view of systemic weaknesses and deficiencies occurring in information systems across the organization;
- Providing an opportunity to develop organization-wide solutions to information security problems; and
- Increasing the organization's knowledge base regarding threats, vulnerabilities, and strategies for more cost-effective solutions to common information security problems.
Figure 1 illustrates the relationship among the independent information system assessments and the overall determination and acceptance of mission/business risk.
While the conduct of the security control assessment is the primary responsibility of the information system owner17 [2] with oversight by the authorizing official, there should be significant involvement in the assessment process by other parties within the organization who have a vested interest in the outcome of the assessment. Other interested parties include, for example, mission and information owners (when those roles are filled by someone other than the information system owner) and information security officials. It is imperative that the information system owner coordinate with the other parties in the organization having an interest in the security control assessment to ensure that the organization's core missions and business functions are adequately addressed in the selection of security controls to be assessed.
2.3 BUILDING AN EFFECTIVE ASSURANCE CASE
Building an effective assurance case18 [3] for security control effectiveness is a process that involves: (i) compiling evidence that the controls employed in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system; and (ii) presenting this evidence in a manner that decision makers are able to use effectively in making credible, risk-based decisions about the operation or use of the system. The evidence described above comes from both the implementation of the security controls in the information system and from the assessments of that implementation. Ideally, the assessor is adding to an existing assurance case that started with the specification of the organization's information security needs and was further developed during the design, development, and implementation of the information system.
Assessors obtain the evidence needed during the assessment process to allow the appropriate organizational officials to make objective determinations about the effectiveness of the security controls and the security of the information system. The assessment evidence needed to make such determinations can be obtained from a variety of sources including, but not limited to, information technology product and system assessments. Product assessments (also known as product testing and evaluation) are typically conducted by independent, third-party testing organizations and examine the security functions of products and established configuration settings. Assessments can be conducted against industry, national, and international information security standards as well as developer and vendor claims. Since many information technology products are assessed by commercial testing organizations and then subsequently deployed in millions of information systems, these types of assessments can be carried out at a greater level of depth and provide deeper insights into the security capabilities of the particular products.
System assessments are typically conducted by information systems developers, systems integrators, certification agents, information system owners, auditors, inspectors general, and the information security staffs of organizations. These assessors or assessment teams bring together available information about the information system such as the results from product-level assessments, if available, and conduct additional system-level assessments using a variety of methods and techniques. System assessments are used to compile and evaluate the evidence needed by organizational officials to determine how effective the security controls employed in the information system are likely to be in mitigating risks to organizational operations and assets, to individuals, to other organizations, and to the Nation. The results from assessments conducted using information system-specific and organization-specific assessment procedures derived from the guidelines in NIST Special Publication 800-53A contribute to compiling the necessary evidence to determine security control effectiveness in accordance with the stated assurance requirements in the security plan (see NIST Special Publication 800-53, Appendix E, Minimum Assurance Requirements).
2.4 ASSESSMENT PROCEDURES
An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. An assessment objective includes a set of determination statements related to the particular security control19 [4] under assessment. The determination statements are closely linked to the content of the security control (i.e., the security control functionality) and the assurance requirements in NIST Special Publication 800-53 to ensure traceability of assessment results back to the fundamental control requirements. The application of an assessment procedure to a security control produces assessment findings. These assessment findings are subsequently used in helping to determine the overall effectiveness of the security control.
The assessment objects identify the specific items being assessed and include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, and architectural designs) associated with an information system. Mechanisms are the specific hardware, software, or firmware safeguards and countermeasures employed within an information system.20 [5] Activities are the specific protection-related pursuits or actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic, exercising a contingency plan). Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.
The assessment methods define the nature of the assessor actions and include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence. The interview method is the process of conducting discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. In all three assessment methods, the results are used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.
Each of the assessment methods described above has a set of associated attributes, depth and coverage, which help define the expected level of effort for the assessment. These attributes are hierarchical in nature, providing the means to define the rigor and scope of the assessment for the increased assurance needed for higher impact level information systems. The depth attribute addresses the rigor of and level of detail in the examination, interview, and testing processes. Values for the depth attribute include generalized, focused, and detailed. The coverage attribute addresses the scope or breadth of the examination, interview, and testing processes including the number and type of specifications, mechanisms, and activities to be examined or tested and the number and types of individuals to be interviewed. Values for the coverage attribute include representative, specific, and comprehensive. Appendix D provides attribute definitions and descriptions of each assessment method. The appropriate depth and coverage attribute values for a particular assessment method are the values needed to achieve the assessment expectations defined in Appendix E (described further below) based upon the characteristics of the information system being assessed (including impact level) and the specific determinations to be made.
Each of the information system impact levels (i.e., low, moderate, high) has an associated set of minimum assurance requirements defined in NIST Special Publication 800-53. The assurance requirements are directed at security control developers and implementers. Based on the assurance requirements, security control developers and implementers carry out required activities and thereby, as an inherent part of developing or implementing the control, produce the necessary control documentation, conduct essential analyses, and define actions that must be performed during control operation.21 [6] The purpose of these activities is to provide increased grounds for confidence that the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. Assessors subsequently use the information from these developer and implementer activities during the assessment process to help build the assurance case that the security controls are effective in their application.22 [7]
The minimum assurance requirements in NIST Special Publication 800-53 also help to establish an appropriate set of expectations for assessors in the conduct of the security control assessments. The assessment expectations, described with respect to low-impact, moderate-impact, and high- impact information systems for a range of assessment objects including specifications, activities, and mechanisms, are provided in Appendix E. The assessment expectations provide assessors with important reference points as to what findings obtained from the application of the assessment procedures are acceptable for subsequent use by the organization in determining security control effectiveness. Table 1 provides a summary of the assessment expectations by information system impact level.
TABLE 1: ASSESSMENT EXPECTATIONS BY INFORMATION SYSTEM IMPACT LEVEL
| ASSESSMENT EXPECTATIONS | INFORMATION SYSTEM IMPACT LEVEL | ||
| LOW | MODERATE | HIGH | |
| Security controls are in place with no obvious errors. | √ | √ | √ |
| Increased grounds for confidence that the security controls are implemented correctly and operating as intended. | — | √ | √ |
| Further increased grounds for confidence that the security controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control. | — | — | √ |
| Grounds for a high degree of confidence that the security controls are complete, consistent, and correct. Beyond minimum recommendations of NIST Special Publication 800-53A |
— | For environments with specific and credible threat information indicating sophisticated, well-resourced threat agents and possible attacks against high-value targets. | |
AN EXAMPLE ASSESSMENT PROCEDURE
The following example illustrates an assessment procedure for security control CP-1. The assessment procedure includes a set of assessment objectives derived from the basic security control statement and a set of potential assessment methods and objects that can be used to make the determinations that lead to achieving the assessment objectives.
| CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. |
| Supplemental Guidance: The contingency planning policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The contingency planning policy can be included as part of the general information security policy for the organization. Contingency planning procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-34 provides guidance on contingency planning. NIST Special Publication 800-12 provides guidance on security policies and procedures. |
For security control CP-1, the assessment objectives are expressed as follows:
ASSESSMENT OBJECTIVE #1
Determine if:
(i) the organization develops and documents contingency planning policy and procedures;
(ii) the organization disseminates contingency planning policy and procedures to appropriate elements within the organization;
(iii) responsible parties within the organization periodically review contingency planning policy and procedures; and
(iv) the organization updates contingency planning policy and procedures when organizational review indicates updates are required.
ASSESSMENT OBJECTIVE #2
Determine if:
(i) the contingency planning policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance;
(ii) the contingency planning policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and
(iii) the contingency planning procedures address all areas identified in the contingency planning policy and address achieving policy-compliant implementations of all associated contingency planning controls.
In addition to specifying the assessment objectives, potential assessment methods and objects are also identified.23 [8] The depth and coverage attributes associated with the assessment methods are implicit according to the impact level of the information system where the security controls are employed and assessed. Therefore, the expected level of effort expended by assessors in assessing a particular security control (i.e., the intensity and extent of the assessment activities) will vary based upon the impact level of the information system and the associated depth and coverage attributes. Appendix E provides more detailed information on assessment expectations and the values for depth and coverage attributes for each information system impact level. A complete assessment procedure for security control CP-1 consists of two assessment objectives24 [9] and associated methods and objects as follows:
| CP-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents contingency planning policy and procedures; | |
| (ii) the organization disseminates contingency planning policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review contingency planning policy and procedures; and | |
| (iv) the organization updates contingency planning policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records]. | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities]. |
| CP-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the contingency planning policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the contingency planning policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the contingency planning procedures address all areas identified in the contingency planning policy and address achieving policy-compliant implementations of all associated contingency planning controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records]. | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities]. |
The assessment objectives within a particular assessment procedure are numbered sequentially (e.g., CP-1.1,…, CP-1.n). If the security control has any enhancements, assessment objectives are developed for each enhancement using the same process as for the base control. The resulting assessment objectives within the assessment procedure are numbered sequentially (e.g., CP-2(1).1 indicating the first assessment objective for the first enhancement for security control CP-2).
2.5 EXTENDED ASSESSMENT PROCEDURE
In addition to the assessment procedures (see Appendix F, Section I) that are applied to individual security controls as in the CP-1 example above, an extended assessment procedure (see Appendix F, Section II) is applied to the assessment as a whole. The extended assessment procedure is designed to work with and complement the assessment procedures to contribute to the grounds for confidence in the effectiveness of the security controls employed in the information system. The extended assessment procedure and the associated assessment objectives are also closely linked to the impact level of the information system and the assurance requirements in NIST Special Publication 800-53. Consider the NIST Special Publication 800-53 assurance requirements for low-impact systems:
- Assurance Requirement: The security control is in effect and meets explicitly identified functional requirements in the control statement.
- Supplemental Guidance: For security controls in low-impact information systems, the focus is on the controls being in place with the expectation that no obvious errors exist and that, as flaws are discovered, they are addressed in a timely manner.
The basic assurance requirement for low-impact systems (i.e., security controls are in effect and meet explicitly identified functional requirements in the control statements) is covered by the assessment procedures for the security controls (see Appendix F, Section I). An additional assessment objective for low-impact systems is identified in the supplemental guidance (i.e., as flaws are discovered, they are addressed in a timely manner). This additional assessment objective is covered by the extended assessment procedure (see Appendix F, Section II). Specifically, for a low-impact information system, the following section of the extended assessment procedure, EAP.1, is applied:
| EAP.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization has a process in place to address in a timely manner, any flaws discovered in the implementation or application of the security controls in the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Policies, procedures, records, documents, activities, or mechanisms related to addressing flaws in security controls or control enhancements]. |
The extended assessment procedure applies to the entire assessment, yet may be implemented control by control, by group of controls, or collectively across all controls in the information system simultaneously. In this situation, the organization, based on the security plan for implementing the NIST Special Publication 800-53 assurance requirements, may have decided to have a process in place to address flaws at the individual security control level (e.g., CP-1) or may have decided to rely on a single process to document and address flaws at the security control family level (e.g., Contingency Planning family). Extending that concept further, the organization may have also decided to employ an organization-wide process to document flaws in the security controls across the entire information system. Whether the organization chooses to implement one process or many processes will determine how the assessor applies the extended assessment procedure. The specific application of the extended assessment procedure should be described in the security assessment plan. See Appendix F, Section II for the complete extended assessment procedure.
Footnotes
- ↑ There are five phases in the system development life cycle: (i) system initiation; (ii) system acquisition/development; (iii) system implementation; (iv) system operations and maintenance; and (v) system disposition (disposal). NIST Special Publications 800-64 and 800-100 provide guidance on integrating information security activities into the specific phases of the system development life cycle.
- ↑ The information system owner is the organizational official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.
- ↑ An assurance case is a body of evidence organized into an argument demonstrating that some claim about an information system holds (i.e., is assured). An assurance case is needed when it is important to show that a system exhibits some complex property such as safety, security, or reliability. Additional information can be obtained at https://buildsecurityin.us- cert.gov/daisy/bsi/articles/knowledge/assurance/643.html.
- ↑ References to security controls under assessment also include control enhancements.
- ↑ Mechanisms also include physical protection devices associated with an information system (e.g., locks, keypads, security cameras, fire protection devices, fireproof safes, etc.).
- ↑ In this context, a developer/implementer is an individual or group of individuals responsible for the development or implementation of security controls within an information system. This may include, for example, hardware and software vendors providing the controls, contractors implementing the controls, or organizational personnel such as information system owners, information system security officers, system and network administrators, or other individuals with security responsibility for the information system.
- ↑ For example, the assurance requirements in NIST Special Publication 800-53 at the moderate-impact level are designed to ensure that security controls within the information system contain specific actions and the assignment of responsibilities to provide increased grounds for confidence that the controls are implemented correctly and operating as intended. At the high-impact level, the assurance requirements are designed to ensure that when security controls are implemented, the controls will continuously and consistently (i.e., across the information system) meet their required function or purpose and support improvement in the effectiveness of the controls. These requirements are reflected in the associated security control assessment procedures at the appropriate impact level of the information system under assessment.
- ↑ Whereas a set of potential assessment methods and objects have been included in the catalog of assessment procedures in Appendix F, these are not intended to be mandatory or exclusive and, depending on the particular circumstances of the information system to be assessed, not all methods and objects may be required.
- ↑ In the CP-1 example above, the control requirements are divided among two assessment objectives primarily because the elements within the security control are of two types—actions (first objective) and adequacy (second objective). However, an assessment procedure consisting of one objective covering all control requirements would also be acceptable. The number of objectives is kept as small as possible while still providing a meaningful subdivision of assessment results and providing for any needed differentiation between objectives and assessment methods that apply.
