NIST SP 800-53A Chapter 3
CONDUCTING EFFECTIVE SECURITY CONTROL ASSESSMENTS
This chapter describes the process of assessing the security controls in organizational information systems including: (i) the activities carried out by organizations and assessors to prepare for security control assessments; (ii) the development of security assessment plans; (iii) the conduct of security control assessments and the analysis, documentation, and reporting of assessment results; and (iv) post-assessment report analysis and follow-on activities carried out by organizations.
3.1 PREPARING FOR SECURITY CONTROL ASSESSMENTS
Conducting security control assessments in today's complex environment of sophisticated information technology infrastructures and high-visibility, mission-critical applications can be difficult, challenging, and resource-intensive. Success requires the cooperation and collaboration among all parties having a vested interest in the organization's information security posture, including information system owners, authorizing officials, chief information officers, senior agency information security officers, chief executive officers/heads of agencies, inspectors general, and the OMB. Establishing an appropriate set of expectations before, during, and after the assessment is paramount to achieving an acceptable outcome-that is, producing information necessary to help the authorizing official make a credible, risk-based decision on whether to place the information system into operation or continue its operation.
Thorough preparation by the organization and the assessors is an important aspect of conducting effective security control assessments. Preparatory activities should address a range of issues relating to the cost, schedule, and performance of the assessment. From the organizational perspective, preparing for a security control assessment includes the following key activities:
- Ensuring that appropriate policies covering security control assessments are in place and understood by all organizational elements;
- Ensuring that all steps in the NIST Risk Management Framework prior to the security control assessment step, have been successfully completed and received appropriate management oversight;25 
- Ensuring that security controls identified as common controls (and the common portion of hybrid controls) have been assigned to appropriate organizational entities for development and implementation;26 
- Establishing the objective and scope of the security control assessment (i.e., the purpose of the assessment and what is being assessed);
- Notifying key organizational officials of the impending security control assessment and allocating necessary resources to carry out the assessment;
- Establishing appropriate communication channels among organizational officials having an interest in the security control assessment;27 
- Establishing time frames for completing the security control assessment and key milestone decision points required by the organization to effectively manage the assessment;
- Identifying and selecting a competent assessor/assessment team that will be responsible for conducting the security control assessment, considering issues of assessor independence;
- Collecting artifacts to provide to the assessor/assessment team (e.g., policies, procedures, plans, specifications, designs, records, administrator/operator manuals, information system documentation, interconnection agreements, previous assessment results); and
- Establishing a mechanism between the organization and the assessor and/or assessment team to minimize ambiguities or misunderstandings about security control implementation or security control weaknesses/deficiencies identified during the assessment.
In addition to the planning activities the organization carries out in preparation for the security control assessment, assessors/assessment teams should begin preparing for the assessment by:
- Obtaining a general understanding of the organization's operations (including mission, functions, and business processes) and how the information system that is the subject of the security control assessment supports those organizational operations;
- Obtaining an understanding of the structure of the information system (i.e., system architecture);
- Obtaining a thorough understanding of the security controls being assessed (including system-specific, hybrid, and common controls) together with appropriate FIPS and NIST Special Publications that are referenced in those controls;
- Identifying the organizational entities responsible for the development and implementation of the common security controls (or the common portion of hybrid controls) supporting the information system;
- Establishing appropriate organizational points of contact needed to carry out the security control assessment;
- Obtaining artifacts needed for the security control assessment (e.g., policies, procedures, plans, specifications, designs, records, administrator/operator manuals, information system documentation, interconnection agreements, previous assessment results);
- Obtaining previous assessment results that may be appropriately reused for the security control assessment (e.g., inspector general reports, audits, vulnerability scans, physical security inspections; prior assessments of common controls, developmental testing and evaluation).
- Meeting with appropriate organizational officials to ensure common understanding for assessment objectives and the proposed rigor and scope of the assessment; and
- Developing a security assessment plan.
In preparation for the assessment of security controls, the necessary background information should be assembled and made available to the assessors or assessment team.28  To the extent necessary to support the specific assessment, the organization should identify and arrange access to: (i) elements of the organization responsible for developing, documenting, disseminating, reviewing, and updating all security policies and associated procedures for implementing policy- compliant controls; (ii) the security policies for the information system and any associated implementing procedures; (iii) individuals or groups responsible for the development, implementation, operation, and maintenance of security controls; (iv) any materials (e.g., security plans, records, schedules, assessment reports, after-action reports, agreements, accreditation packages) associated with the implementation and operation of security controls; and (v) the objects to be assessed.29  The availability of essential documentation as well as access to key organizational personnel and the information system being assessed are paramount to a successful assessment of the security controls.
3.2 DEVELOPING SECURITY ASSESSMENT PLANS
The security assessment plan provides the objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment. The output and end result of the security control assessment is the security assessment report, which documents the assurance case for the information system and is one of three key documents in the security accreditation package developed by information system owners for authorizing officials.30  The security assessment report includes information from the assessor (in the form of assessment findings) necessary to determine the effectiveness of the security controls employed in the information system and the organization's overall effectiveness determination based upon the assessor's findings.31  The security assessment report is an important factor in an authorizing official's determination of risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Appendix I provides additional information on the format and content of security assessment reports.
The following steps should be considered by assessors in developing plans to assess the security controls in organizational information systems:
- Determine the type of security control assessment (e.g., complete or partial assessment);
- Determine which security controls/control enhancements are to be included in the assessment based upon the contents of the security plan and the purpose/scope of the assessment;
- Select the appropriate assessment procedures to be used during the assessment based on the security controls and control enhancements that are to be included in the assessment;
- Tailor the selected assessment procedures for the information system impact level and organization's operating environment;
- Develop additional assessment procedures, if necessary, to address security controls and control enhancements that are not contained in NIST Special Publication 800-53 or to address additional assurance needs beyond what is provided in NIST Special Publication 800-53A;
- Develop a strategy to apply the extended assessment procedure;
- Optimize the assessment procedures to reduce duplication of effort and provide cost-effective assessment solutions;32  and
- Finalize the assessment plan and obtain the necessary approvals to execute the plan.
3.2.1 Determine which security controls are to be assessed.
The security plan provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements. The assessor starts with the security controls described in the security plan and considers the purpose of the assessment. A security control assessment can be a complete assessment of all security controls in the information system (e.g., during security certification as part of a certification and accreditation process) or a partial assessment of the security controls in the information system (e.g., during continuous monitoring, post accreditation, where subsets of the controls in the information system are assessed on an ongoing basis). For partial assessments, the information system owner collaborates with organizational officials having an interest in the assessment (e.g., senior agency information security officer, mission/information owners, inspectors general, and authorizing official) to determine which security controls from the security plan are to be assessed. The selection of the security controls depends on the continuous monitoring schedule established by the information system owner to ensure that all controls are assessed during the three-year accreditation cycle, items on the plan of action and milestones receive adequate oversight, and controls with greater volatility are assessed more frequently.33 
3.2.2 Select appropriate procedures to assess the security controls.
NIST Special Publication 800-53A, Appendix F, provides an assessment procedure for each security control and control enhancement in NIST Special Publication 800-53. For each security control and control enhancement in the security plan to be included in the assessment, assessors select the corresponding assessment procedure from Appendix F. The set of selected assessment procedures varies from assessment to assessment based on the current content of the security plan and the purpose of the security assessment (e.g., annual security control assessment, security certification, continuous monitoring). Appendix H provides a work sheet for selecting the appropriate assessment procedures for the assessment based on the approved security plan and the particular assessment focus.
3.2.3 Tailor assessment procedures for specific operating environments.
In a similar manner to how the security controls from NIST Special Publication 800-53 are tailored for the organization's mission, business functions, characteristics of the information system and operating environment, the assessment procedures listed in Appendix F are tailored to meet specific organizational needs.
Assessment procedures can be tailored by:
- Selecting the assessment methods and objects needed to most cost-effectively make appropriate determinations and to satisfy assessment objectives;
- Selecting the assessment method depth and coverage attribute values necessary to meet the assessment expectations defined in Appendix E based upon the characteristics of the information system being assessed and the specific determinations to be made;
- Eliminating assessment procedures for common security controls if those controls have been assessed by another documented assessment process;
- Developing information system/platform-specific and organization-specific assessment procedure adaptations to successfully carry out the assessment of the security controls;
- Incorporating assessment results from previous assessments where the results are deemed applicable;34  and
- Making appropriate adjustments in assessment procedures to be able to obtain the requisite assessment evidence from external providers.
Assessment method and object-related considerations-
It is recognized that organizations can specify, document, and configure their information systems in a variety of ways and that the content and applicability of existing assessment evidence will vary. This may result in the need to apply a variety of assessment methods to various assessment objects to generate the assessment evidence needed to determine whether the security controls are effective in their application. Therefore, the list of assessment methods and objects provided with each assessment procedure is termed potential to reflect this need to be able to choose the methods and objects most appropriate for a specific assessment. The assessment methods and objects chosen are those deemed as necessary to produce the evidence needed to make the determinations described in the determination statements. The potential methods and objects in the assessment procedure are provided as a resource to assist in the selection of appropriate methods and objects, and not with the intent to limit the selection. As such, assessors should use their judgment in selecting from the potential assessment methods and the general list of assessment objects (also known as the object list) associated with each selected method. Assessors should select only those methods and objects that most cost-effectively contribute to making the determinations associated with the assessment objective.35  The measure of the quality of the assessment results is based on the soundness of the rationale provided, not the specific set of methods and objects applied. It will not be necessary, in most cases, to apply every assessment method to every assessment object to obtain the desired assessment results. And for specific assessments, it may be appropriate to employ a method not currently listed in the set of potential methods or to not employ a method that is listed.
To assist assessors in determining when assessment methods should be applied, the assessment procedures in the catalog in Appendix F contain a suggested application of the potential assessment methods to a low-impact, moderate-impact, and high-impact information system assessment. This suggested application is provided by the designators (L), (M), and (H) respectively. The designators are provided for each of the impact levels at which security controls or control enhancements are likely to be employed based on anticipated common usage.36  The designations are intended to assist, not limit, assessors in the selection of the most cost-effective assessment methods for a given assessment.
In addition to selecting appropriate assessment methods and objects, each assessment method (i.e., examine, interview, and test) has associated depth and coverage attributes that are described in Appendix D. The attribute values affect the extent, rigor, and intensity of the assessment procedure executed by the assessor. The values are selected as necessary to meet the assessment expectations described in Appendix E for a specific determination in a specific assessment. The values for depth and coverage are determined by both the impact level of the information system (which defines the overall assessment expectations) and by the specifics of the system and the security control being assessed (which impacts the assessor actions needed to achieve the assessment expectations). For example, in a low-impact system, as assessors carry out the assessment procedures for the security controls in the security plan (including conducting interviews with individuals, examining policies, procedures, and other documentation, and testing portions of the system), the level of effort is likely to be guided by the attribute definitions in Appendix D for generalized depth and representative coverage as the level of rigor most likely needed to achieve the assessment expectations defined for a low-impact system.
Common security control-related considerations-
Assessors should note which security controls (or parts of controls) in the security plan are designated as common controls. Since the assessment of common controls is the responsibility of the organizational entity that developed and implemented the controls, the assessment procedures in Appendix F used to assess these controls should incorporate assessment results from that organizational entity.37  Common controls may have been previously assessed as part of the organization's information security program, or there may be a separate plan to assess the common controls. In either situation, the information system owner coordinates the assessment of all security controls with appropriate organizational officials (e.g., chief information officer, senior agency information security officer, mission/ information owners, authorizing official) obtaining the results of common control assessments or, if the common controls have not been assessed or are due to be reassessed, making the necessary arrangements to include or reference the common control assessment results in the current assessment.38 
Another consideration in assessing common security controls is that there are occasionally system-specific aspects of a common control that are not covered by the organizational entities responsible for the common aspects of the control. These types of security controls are referred to as hybrid controls. For example, CP-2, the contingency planning security control, may be deemed a hybrid control by the organization if there is a master contingency plan developed by the organization for all organizational information systems. However, information system owners are expected to adjust, tailor, or supplement the contingency plan as necessary, when there are system-specific aspects of the plan that need to be defined for the particular system where the control is employed. For each hybrid security control, assessors should include in the assessment plan, the portions of the assessment procedures from Appendix F related to the parts of the control that are system-specific to ensure that, along with the results from common control assessments, all aspects of the security control are assessed.
Reuse of assessment evidence-related considerations-
Assessors should take advantage of existing security control assessment information to facilitate more cost-effective assessments. The reuse of assessment results from previously accepted or approved assessments of the information system should be considered in the body of evidence for determining overall security control effectiveness.39  The assessment procedures in Appendix F are designed to compile evidence for determining if security controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements of the information system. When considering the reuse of previous assessment results and the value of those results to the current assessment, assessors should determine: (i) the credibility of the evidence; (ii) the appropriateness of previous analysis; and (iii) the applicability of the evidence to current information system operating conditions. It may be necessary, in certain situations, to supplement the previous assessment results under consideration for reuse with additional assessment activities to fully address the assessment objectives. For example, if an independent, third-party evaluation of an information technology product did not test a particular configuration setting that is employed by the organization in an information system, then the assessor may need to supplement the original test results with additional testing to cover that configuration setting for the current information system environment.40  The following items should be considered in validating previous assessment results for reuse in current assessments:
- Changing conditions associated with security controls over time.
- Security controls that were deemed effective during previous assessments may have become ineffective due to changing conditions within the information system or the surrounding environment. Thus, assessment results that were found to be previously acceptable may no longer provide credible evidence for determination of security control effectiveness, and a reassessment would be required. Applying previous assessment results to a current assessment requires the identification of any changes that have occurred since the previous assessment and the impact of these changes on the previous assessment results. For example, reusing previous assessment results that involved examining an organization's security policies and procedures may be acceptable if it is determined that there have not been any significant changes to the identified policies and procedures. Reusing evidence and security control assessment results produced during the initial certification and accreditation of an information system will likely be a cost-effective method for supporting continuous monitoring activities and annual FISMA reporting when the related controls have not changed and there are adequate reasons for confidence in their continued application.
- Acceptability of using previous assessments.
- The acceptability of using previous assessment results in a security control assessment should be coordinated with and approved by the users of the assessment results. It is essential that the information system owner collaborates with appropriate organizational officials (e.g., chief information officer, senior agency information security officer, mission/information owners, authorizing official) in determining the acceptability of using previous assessment results. The decision to reuse assessment results should be documented in the security assessment plan and the final security assessment report and should be consistent with federal legislation, policies, directives, standards, and guidelines with respect to the security control assessments.
- Amount of time that has transpired since previous assessments.
- In general, as the time period between current and previous assessments increases, the credibility/utility of the previous assessment results decreases. This is primarily due to the fact that the information system or the environment in which the information system operates is more likely to change with the passage of time, possibly invalidating the original conditions or assumptions on which the previous assessment was based.
- Degree of independence of previous assessments.
- Assessor independence can be a critical factor in certain types of assessments, especially for information system at the moderate- and high-impact levels. The degree of independence required from assessment to assessment should be consistent. For example, it is not appropriate to reuse results from a previous self-assessment where no assessor independence was required, in a current assessment requiring a greater degree of independence.
External information system-related considerations
The assessment procedures in Appendix F need to be adjusted as appropriate to accommodate the assessment of external information systems.41  Because the organization does not always have direct control over the security controls used in external information systems, or sufficient visibility into the development, implementation, and assessment of those controls, alternative assessment approaches may need to be applied, resulting in the need to tailor the assessment procedures described in Appendix F. Where required assurances of agreed-upon security controls for an information system are documented in contracts or service-level agreements, the assessor should review these contracts or agreements and where appropriate, tailor the assessment procedures to assess either the security controls or the security control assessment results provided through these agreements. Additionally, assessors should take into account any assessments that have been conducted, or are in the process of being conducted, for external information systems that are relied upon with regard to protecting the information system under assessment. Applicable information from these assessments, if deemed reliable, should be incorporated into the security assessment report.
System/platform and organization-related considerations-
The assessment procedures in NIST Special Publication 800-53A may be adapted to address system/platform-specific or organization-specific dependencies. This situation arises frequently in the assessment procedures associated with the security controls from the technical families in NIST Special Publication 800-53 (i.e., access control, audit and accountability, identification and authentication, system and communications protection). For example, an extension to the IA-2 control for identification and authentication of users might include an explicit examination of the .rhosts file for UNIX systems since improper entries in that file can result in bypassing user authentication. Recent test results may also be applicable to the current assessment if those test methods provide a high degree of transparency (e.g., what was tested, when was it tested, how was it tested). Standards-based testing protocols such as the Security Content Automation Protocol (SCAP) provide an example of how organizations can help achieve this level of transparency. Further, the SCAP checklists and test procedures are organized by NIST Special Publication 800-53 controls to enable efficiency in assessing federal information systems.
3.2.4 Develop assessment procedures for organization-specific security controls.
Based on organizational policies, mission or business function requirements, and an assessment of risk, organizations may choose to develop and implement additional (organization-specific) security controls or control enhancements for their information systems that are beyond the scope of FIPS 200 and NIST Special Publication 800-53. Such security controls are documented in the security plan for the information system as controls not found in NIST Special Publication 800- 53. To assess the security controls in this situation, assessors should use the material described in Chapter Two to develop assessment procedures for those controls and control enhancements. The assessment procedures developed should be integrated into the security assessment plan.
3.2.5 Develop assessment procedures for additional assurance requirements.
The assessment procedures described in NIST Special Publication 800-53A correspond with the minimum assurance requirements identified in NIST Special Publication 800-53. However, when the organization is relying upon security controls to mitigate risks arising from highly skilled, highly motivated, and well-financed threat sources, NIST Special Publication 800-53 requires organizations obtain additional assurances for moderate-impact and high-impact information systems. As indicated in the last row in Table E-1 in Appendix E, the assessment procedures for these added assurances are beyond the scope of the minimum assessment expectations currently described in this document. Therefore, when such additional assurances apply, the organization should develop additional assessment procedures to provide the necessary evidence that the effected security controls have been developed in a manner that supports a high degree of confidence that the controls are complete, consistent, and implemented correctly. Additionally, organizational risk management needs may dictate the development of assessment procedures beyond the procedures provided in this publication. In both cases, the additional security control assessment procedures should be integrated into the security assessment plan.
3.2.6 Develop strategy for incorporating extended assessment procedure.
Organizations have great flexibility in achieving the developer/implementer assurance requirements in NIST Special Publication 800-53. For a requirement such as assurance that flaws are addressed in a timely manner, the organization can satisfy this requirement on a control-by- control basis, on a by-type-of-control basis, on a system-by-system basis, or perhaps even at the organizational level. In consideration of this flexibility, the extended assessment procedure in Appendix F is applied on an assessment-by-assessment basis typically according to how the organization chose to achieve the associated NIST Special Publication 800-53 assurances for the information system under assessment. The method of application should be documented in the security assessment plan. Further, the organization selects the appropriate assessment objectives from the extended assessment procedure based on the information system impact level. The application of the extended assessment procedure is intended to supplement the other assessment procedures to increase the grounds for confidence that the security controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements of the information system.
3.2.7 Optimize selected assessment procedures to ensure maximum efficiency.
Assessors have a great deal of flexibility in organizing a security assessment plan that meets the needs of the organization and that provides the best opportunity for obtaining the necessary evidence to determine security control effectiveness, while reducing overall assessment costs. Combining and consolidating assessment procedures is one area where this flexibility can be applied. During the assessment of an information system, assessment methods are applied numerous times to a variety of assessment objects within a particular family of security controls. To save time, reduce assessment costs, and maximize the usefulness of assessment results, assessors should review the selected assessment procedures for the security control families and combine or consolidate the procedures (or parts of procedures) whenever possible or practicable. For example, assessors may wish to consolidate interviews with key organizational officials dealing with a variety of security-related topics. Assessors may have other opportunities for significant consolidations and cost savings by examining all security policies and procedures from the seventeen families of security controls at the same time or organizing groups of related policies and procedures that could be examined as a unified entity. Obtaining and examining configuration settings from similar hardware and software components within the information system is another example that can provide significant assessment efficiencies.
An additional area for consideration in optimizing the assessment process is the sequence in which security controls are assessed. The assessment of some security controls before others may provide information that facilitates understanding and assessment of other controls. For example, security controls such as CM-2 (Baseline Configuration), CM-8 (Information System Component Inventory), PL-2 (System Security Plan), RA-2 (Security Categorization), and RA-3 (Risk Assessment) produce general descriptions of the information system. Assessing these security controls early in the assessment process may provide a basic understanding of the information system that can aid in assessing other security controls. The supplemental guidance of many security controls also identifies related controls that can provide useful information in organizing the assessment procedures.42  For example, AC-19 (Access Control for Portable and Mobile Devices) lists security controls MP-4 (Media Storage) and MP-5 (Media Transport) as being related to AC-19. Since AC-19 is related to MP-4 and MP-5, the sequence in which assessments are conducted for AC-19, MP-4, and MP-5 may facilitate the reuse of assessment information from one control in assessing other related controls.
3.2.8 Finalize security assessment plan and obtain approval to execute plan.
After selecting the assessment procedures (including developing necessary procedures not contained in the NIST Special Publication 800-53A catalog of procedures), tailoring the procedures for information system/platform-specific and organization-specific conditions, optimizing the procedures for efficiency, applying the extended assessment procedure, and addressing the potential for unexpected events impacting the assessment, the assessment plan is finalized and the schedule is established including key milestones for the assessment process. Once the security assessment plan is completed, the plan is reviewed and approved by appropriate organizational officials43  to ensure that the plan is complete, consistent with the security objectives of the organization and the organization's assessment of risk,and cost-effective with regard to the resources allocated for the assessment.
3.3 CONDUCTING SECURITY CONTROL ASSESSMENTS
After the security assessment plan is approved by the organization, the assessor or assessment team44  executes the plan in accordance with the agreed-upon milestones and schedule. Assessment objectives are achieved by applying the designated assessment methods to selected assessment objects and compiling/producing the information necessary to make the determination associated with each assessment objective. Each determination statement contained within an assessment procedure executed by an assessor produces one the following findings: (i) satisfied (S); or (ii) other than satisfied (O). A finding of satisfied indicates that for the portion of the security control addressed by the determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control has been met producing a fully acceptable result. A finding of other than satisfied indicates that for the portion of the security control addressed by the determination statement, the assessment information obtained indicates potential anomalies in the operation or implementation of the control that may need to be addressed by the organization.45  A finding of other than satisfied may also indicate that for reasons specified in the assessment report, the assessor was unable to obtain sufficient information to make the particular determination called for in the determination statement.
The assessor findings (i.e., the determinations made) should be an unbiased, factual reporting of what was found concerning the security control assessed. For each finding of other than satisfied, assessors should indicate which parts of the security control are affected by the finding (i.e., those aspects of the control that were deemed not satisfied or were not able to be assessed) and describe how the control differs from the planned or expected state. The potential for compromises to confidentiality, integrity, and availability due to other than satisfied findings should also be noted by the assessor.
Security control assessment results should be documented at the level of detail appropriate for the assessment in accordance with the reporting format prescribed by organizational policy, NIST guidelines, and OMB policy. The reporting format should also be appropriate for the type of security control assessment conducted (e.g., self-assessments by information system owners, independent verification and validation, independent assessments by assessors or assessment teams supporting the security accreditation process, or independent audits of security controls by auditors or inspectors general). A sample reporting format for security control assessments is provided in Appendix I. The sample reporting format is illustrative and not intended to limit organizational flexibility in determining the most appropriate presentation for the purposes of a given security control assessment.
The information system owner relies on the security expertise and the technical judgment of the assessor to: (i) assess the security controls in the information system; and (ii) provide specific recommendations on how to correct weaknesses or deficiencies in the controls and reduce or eliminate identified vulnerabilities. The assessment information produced by the assessor (i.e., findings of satisfied or other than satisfied, identification of the parts of the security control that did not produce a satisfactory result, and a description of resulting potential for compromises to the information system) is provided to the information system owner in the initial (draft) security assessment report. The system owner may choose to act on selected recommendations of the assessor before the security assessment report is finalized if there are specific opportunities to correct weaknesses or deficiencies in the security controls or to correct/clarify misunderstandings or interpretations of assessment results.46  Security controls modified, enhanced, or added during this process should be reassessed by the assessor prior to the production of the final security assessment report. The delivery of the final assessment report to the information system owner marks the official end of the security control assessment.
3.4 ANALYZING SECURITY ASSESSMENT REPORT RESULTS
Since results of the security control assessment ultimately influence the content of the security plan and the plan of action and milestones, the information system owner reviews the findings of the assessor and with the concurrence of designated organizational officials (e.g., authorizing official, chief information officer, senior agency information security officer, mission/information owners), determines the appropriate steps required to correct weaknesses and deficiencies identified during the assessment. By using the tags of satisfied and other than satisfied, the reporting format for the assessment findings provides visibility for organizational officials into specific weaknesses and deficiencies in the information system and facilitates a disciplined and structured approach to mitigating risks in accordance with organizational priorities. For example, the information system owner in consultation with designated organizational officials may decide that certain assessment findings marked as other than satisfied are of an inconsequential nature and present no significant risk to the organization. Alternatively, the system owner and organizational officials may decide that certain findings marked as other than satisfied are significant, requiring immediate remediation actions. In all cases, the organization reviews each assessor finding of other than satisfied and applies its judgment with regard to the severity or seriousness of the finding (i.e., the potential adverse affect on the organization's operations and assets, individuals, other organizations, or the Nation), and whether the finding is significant enough to be worthy of further investigation or remedial action.
Senior leadership involvement in the mitigation process may be necessary in order to ensure that the organization's resources are effectively allocated in accordance with organizational priorities, providing resources first to the information systems that are supporting the most critical and sensitive missions for the organization or correcting the deficiencies that pose the greatest degree of risk. Ultimately, the assessment findings and any subsequent mitigation actions initiated by the information system owner in collaboration with designated organizational officials trigger updates to the risk assessment and the security plan. Therefore, the key documents used by the authorizing official to determine the security status of the information system (i.e., security plan with updated risk assessment, security assessment report, and plan of actions and milestones) are updated to reflect the results of the security control assessment.
Figure 2 provides an overview of the security control assessment process including the activities carried out during pre-assessment, assessment, and post-assessment.
- Actions to be accomplished in the execution of the Risk Management Framework prior to the assess security controls step include; (i) developing a security plan that defines the security controls for the information system; (ii) assessing this plan for completeness, correctness, and compliance with federal and organizational requirements; (iii) appropriate organizational officials approving the plan; and (iv) implementing the security controls called out in the plan. The security plan assessment represents, along with a verification that appropriate officials have approved the plan, the assessment of security controls PL-2 and, as appropriate, PL-3. The assessment of security control PL-2 (and PL-3) provides key information to be used by authorizing officials in their determination whether or not to approve the security plan, and hence represent assessment activity that should be completed prior to the formal security controls assessment step in the Risk Management Framework.
- The security control assessment may include common controls that are the responsibility of organizational entities other than the information system owner inheriting the controls or hybrid controls where there is shared responsibility among the system owner and designated organizational entities.
- Typically, these individuals include authorizing officials, information system owners, mission and information owners (if other than the information system owner), chief information officers, senior agency information security officers, inspectors general, information system security officers, users from organizations that the information system supports, and assessors (e.g., certification agents/teams, independent auditors).
- Information system owners and organizational entities developing, implementing, and/or administering common security controls are responsible for providing needed information to assessors/assessment teams.
- In situations where there are multiple security control assessments ongoing or planned within an organization, access to organizational elements, individuals, and artifacts supporting the assessments should be centrally managed by the organization to ensure a cost-effective use of time and resources.
- In accordance with NIST Special Publication 800-37, the security accreditation package consists of the security plan (including the risk assessment), the security assessment report, and the plan of action and milestones (POAM).
- Organizations may choose to develop an assessment summary from the detailed findings that are generated during a security control assessment. An assessment summary can provide an authorizing official with an abbreviated version a of Security Assessment Report focusing on the highlights of the assessment, synopsis of key findings, and/or recommendations for addressing weaknesses and deficiencies in the security controls.
- Section 3.2.7 provides guidance on optimizing assessment procedures.
- NIST Special Publication 800-39 provides further information on selecting security controls in an information system to be assessed as part of a continuous monitoring process. NIST Special Publication 800-37 provides guidance on continuous monitoring as part of the security certification and accreditation process.
- See Section on Reuse of assessment evidence-related considerations on page 20.
- The selection of assessment methods and objects (including the number and type of assessment objects) can be a significant factor in cost-effectively meeting the assessment objectives.
- In the absence of any suggested applicability designators for assessment methods, or in cases where a security control or control enhancement is used at a lower impact level than commonly applied, assessors will need to determine the appropriate applicability of the methods with regard to meeting the assessment expectations for the information system under assessment.
- Common security controls support multiple information systems within the organization and the protection measures provided by those controls are inherited by the individual systems under assessment. Therefore, the organization should determine the FIPS 199 impact level associated with the designated common controls to ensure that both the strength of the controls (i.e., security capability) and level of rigor and intensity of the control assessments are commensurate with the impact level of the individual information systems inheriting those controls. In general, the impact level associated with the organization's common controls should support the highest impact level of any individual information system within the organization relying on those controls.
- If assessment results are not currently available for the common controls, the assessment plans for the information systems under assessment that depend on those controls should be duly noted. The assessments cannot be considered complete until the assessment results for the common controls are made available to information system owners.
- Previously accepted or approved assessments include those assessments of common security controls that are managed by the organization and support multiple information systems.
- It should be noted that information technology product assessments are based upon the assumption that the products are properly and appropriately configured when installed in particular information systems in specific operational environments. If not properly configured, the products may not perform in the manner verified during the assessment.
- An external information system is an information system or component of an information system that is outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. NIST Special Publications 800-39 and 800-53 provide additional guidance on external information systems and the effect of employing security controls in those types of environments.
- Security control assessment sequencing is also addressed in the assessment cases described in Appendix J.
- Organizations should establish a security assessment plan approval process with the specific organizational officials (e.g., information systems owners, information system security officers, senior agency information security officers, authorizing officials) designated as approving authorities for the security plan of the information system being assessed.
- Determining the size and organizational makeup of the security assessment team (i.e., skill sets, technical expertise, and assessment experience of the individuals composing the team) is part of the risk management decisions made by the organization requesting and initiating the assessment of the information system.
- For assessment findings that are other than satisfied, organizations may choose to define subcategories of findings indicating the severity/criticality of the weaknesses or deficiencies discovered and the potential adverse effects on organizational operations and assets, individuals, other organizations, and the Nation. Defining such subcategories of findings can help to establish priorities for needed risk mitigation actions.
- The correction of deficiencies in security controls or carrying out of selected assessor recommendations during the information system owner's review of the initial (draft) security assessment report is not intended to replace the formal risk mitigation process by the organization which occurs after the delivery and acceptance of the final report. Rather, it provides the information system owner with an opportunity to address problems or deficiencies that may be quickly corrected.