Week 3
Worksheet 2: Creating an Audit Plan
Course Learning Outcome(s)
•
Develop IT compliance audit plans.
.
When establishing an audit program, the auditing committee or auditor will select those items or controls,
within an organization’s IT infrastructure that will be audited. Referring back to NIST SP 800-53 and NIST
SP 800-53A, controls are selected and those items which need to be reviewed are selected.
Enterprises provide services to their customers in the forms of operating systems, applications, hardware,
Internet, VoIP and security. These services are provided through internal hardware you would find in a
server room such as an application server, data storage, web servers, email servers, call-managers,
firewalls, and security appliances that provide network based security and monitoring.
Often, there are services that are provided to an enterprise by a third party vendor or other organization
such as SaaS, cloud based storage, telephony, security, web hosting, connectivity, routing and switching.
Though these services are not inherent to the enterprise, there are still controls that are auditab le.
When developing an audit plan, we first have to identify those items that are to be audited. Each audit
looks at controls that are derived from internal and external sources. Items or controls that are internal to
the enterprise are known as internal controls. These are controls that are implemented and managed
locally within the organization and the enterprise.
Often, services are provided by outside vendors or third parties. Compliance is usually managed through
the use of service level agreements (SLA). An SLA is a contractual agreement that the vendor or third
party will adhere to a predefined set of requirements. These requirements should fall within the
organizations compliance requirements. The services an organization receives from an external agency
are known as inherited controls.
A key component in developing an audit plan is to identify those controls that are internal and inherited to
an organization. As an auditor, you are responsible to ensure those controls that are both internal and
inherited are within compliance of accrediting the system. Those items not meeting SLA requirements
that may or may not be injecting any level of risk into accreditation should be reported to the client or
contracting official within your organization.
An audit plan consists of various components as you have learned in your reading and lessons. A
fundamental document that is the foundation of any audit is to clearly define what it is that’s going to be
audited. When that’s know, the auditor can review those items to determine which controls are internal
and which are inherited so that the right resources can be assigned to validating those controls.
Review the following scenario and determine if the control is internal or inherited;
XYZ Corporation has retained you to audit their enterprise and validate their compliance requirements.
XYZ Corporation has a staff of 200 employees and an IT staff of three personnel. Internal to XYZ Corp,
the organization has a server room which houses network storage for proprietary data, an application
server to manage applications and licenses, a web server which hosts the company’s internal and
external websites, hardware firewalls and security appliances to manage and protect inbound and
outbound services. The organization has contracted Python LLC to provide email, VoIP, SaaS and cloud
storage services for non-proprietary data for XYZ Corp.
Based on the scenario above, determine whether the following controls are internal or inherited.
Control Name
Use of External
Control
AC-21(1).1
Assessment Objective
Determine if the information system
Internal / Inherited
Information Systems
Content of Audit
Records
AU-3(2).1
Information Systems
Connections
CA-3.1
Incident Monitoring
IR-5(1)
employs automated mechanisms to
enable authorized users to make
information-sharing decisions based on
access authorizations of sharing partners
and access restrictions on information to
be shared.
Determine if: the organization defines the
information system components for
which the content of audit records
generated is centrally managed; and the
organization centrally manages the
content of audit records generated by
organization-defined information system
components.
Determine if the organization identifies
connections to external information
systems (i.e., information systems
outside of the authorization boundary);
the organization authorizes connections
from the information system to external
information systems through the use of
Interconnection Security Agreements;
the organization documents, for each
connection, the interface characteristics,
security requirements, and the nature of
the information communicated; and the
organization monitors the information
system connections on an ongoing basis
to verify enforcement of security
requirements.
Determine if the organization employs
automated mechanisms to assist in the
tracking of security incidents; the
organization employs automated
mechanisms to assist in the collection of
security incident information; and the
organization employs automated
mechanisms to assist in the analysis of
security incident information.
The audit and auditor are also auditable and considered a control within the NIST framework. Referring to
the NIST SP-53 and 53A, Audit and Accountability Policy and Procedures, explain what the assessment
objective is based on the control number it’s associated to:
Control Number:
Description:
When an auditor develops an audit plan, the size or scope of the audit must be defined so that redundant
audits are avoided and that time can be applied to those controls within the domains that are needed. In
the chart below, list the seven domains that are auditable:
1.
2.
3.
4.
5.
6.
7.
Archived NIST Technical Series Publication
The attached publication has been archived (withdrawn), and is provided solely for historical purposes.
It may have been superseded by another publication (indicated below).
Archived Publication
Series/Number:
Title:
NIST Special Publication 800-53A Revision 1
Guide for Assessing the Security Controls in Federal Information Systems
and Organizations: Building Effective Security Assessment Plans
Publication Date(s):
June 2010
Withdrawal Date:
December 11, 2015
Withdrawal Note:
SP 800-53A Rev. 1 is withdrawn one year after the publication of SP
800-53A Rev. 4 (December 2014), and is superseded in its entirety.
Superseding Publication(s)
The attached publication has been superseded by the following publication(s):
Series/Number:
Title:
Author(s):
NIST Special Publication 800-53A Revision 4
Assessing Security and Privacy Controls in Federal Information
Systems and Organizations: Building Effective Assessment Plans
Joint Task Force Transformation Initiative
Publication Date(s):
December 2014
URL/DOI:
http://dx.doi.org/10.6028/NIST.SP.800-53Ar4
Additional Information (if applicable)
Contact:
Latest revision of the
Computer Security Division (Information Technology Laboratory)
SP 800-53A Rev. 4, updated 12-18-2014 (as of December 11, 2015)
attached publication:
Related information:
Withdrawal
announcement (link):
http://csrc.nist.gov/groups/SMA/fisma/assessment.html
N/A
Date updated: December 11, 2015
NIST Special Publication 800-53A
Revision 1
Guide for Assessing the Security
Controls in Federal Information
Systems and Organizations
Building Effective Security Assessment Plans
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
INFORMATION
SECURITY
Consistent with NIST SP 800-53, Revision 3
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
June 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
NIST Special Publication 800-53A, Revision 1, 399 pages
(June 2010)
Certain commercial entities, equipment, or materials may be identified in this document in order to
describe an experimental procedure or concept adequately. Such identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST
in accordance with its assigned statutory responsibilities. The information in this publication, including
concepts and methodologies, may be used by federal agencies even before the completion of such
companion publications. Thus, until each publication is completed, current requirements, guidelines,
and procedures, where they exist, remain operative. For planning and transition purposes, federal
agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and
provide feedback to NIST. All NIST publications, other than the ones noted above, are available at
http://csrc.nist.gov/publications.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic mail: sec-cert@nist.gov
PAGE iii
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Compliance with NIST Standards and Guidelines
In accordance with the provisions of FISMA,1 the Secretary of Commerce shall, on the basis of
standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to
federal information systems. The Secretary shall make standards compulsory and binding to the
extent determined necessary by the Secretary to improve the efficiency of operation or security of
federal information systems. Standards prescribed shall include information security standards
that provide minimum information security requirements and are otherwise necessary to improve
the security of federal information and information systems.
•
Federal Information Processing Standards (FIPS) are approved by the Secretary of
Commerce and issued by NIST in accordance with FISMA. FIPS are compulsory and
binding for federal agencies.2 FISMA requires that federal agencies comply with these
standards, and therefore, agencies may not waive their use.
•
Special Publications (SPs) are developed and issued by NIST as recommendations and
guidance documents. For other than national security programs and systems, federal
agencies must follow those NIST Special Publications mandated in a Federal Information
Processing Standard. FIPS 200 mandates the use of Special Publication 800-53, as
amended. In addition, OMB policies (including OMB Reporting Instructions for FISMA
and Agency Privacy Management) state that for other than national security programs
and systems, federal agencies must follow certain specific NIST Special Publications.3
•
Other security-related publications, including interagency reports (NISTIRs) and ITL
Bulletins, provide technical and other information about NIST's activities. These
publications are mandatory only when specified by OMB.
•
Compliance schedules for NIST security standards and guidelines are established by
OMB in policies, directives, or memoranda (e.g., annual FISMA Reporting Guidance).4
1
The E-Government Act (P.L. 107-347) recognizes the importance of information security to the economic and
national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information
Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an
organization-wide program to provide security for the information systems that support its operations and assets.
2
The term agency is used in this publication in lieu of the more general term organization only in those circumstances
where its usage is directly related to other source documents such as federal legislation or policy.
3
While federal agencies are required to follow certain specific NIST Special Publications in accordance with OMB
policy, there is flexibility in how agencies apply the guidance. Federal agencies apply the security concepts and
principles articulated in the NIST Special Publications in accordance with and in the context of the agency’s missions,
business functions, and environment of operation. Consequently, the application of NIST guidance by federal agencies
can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB
definition of adequate security for federal information systems. Given the high priority of information sharing and
transparency within the federal government, agencies also consider reciprocity in developing their information security
solutions. When assessing federal agency compliance with NIST Special Publications, Inspectors General, evaluators,
auditors, and assessors consider the intent of the security concepts and principles articulated within the specific
guidance document and how the agency applied the guidance in the context of its mission/business responsibilities,
operational environment, and unique organizational conditions.
4
Unless otherwise stated, all references to NIST publications in this document (i.e., Federal Information Processing
Standards and Special Publications) are to the most recent version of the publication.
PAGE iv
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Acknowledgements
This publication was developed by the Joint Task Force Transformation Initiative Interagency
Working Group with representatives from the Civil, Defense, and Intelligence Communities in an
ongoing effort to produce a unified information security framework for the federal government.
The National Institute of Standards and Technology wishes to acknowledge and thank the senior
leaders from the Departments of Commerce and Defense, the Office of the Director of National
Intelligence, the Committee on National Security Systems, and the members of the interagency
technical working group whose dedicated efforts contributed significantly to the publication. The
senior leaders, interagency working group members, and their organizational affiliations include:
U.S. Department of Defense
Office of the Director of National Intelligence
Cheryl J. Roby
Acting Assistant Secretary of Defense for Networks
and Information Integration/Chief Information Officer
Honorable Priscilla Guthrie
Intelligence Community Chief Information
Officer
Gus Guissanie
Acting Deputy Assistant Secretary of Defense
for Cyber, Identity, and Information Assurance
Sherrill Nicely
Deputy Intelligence Community Chief
Information Officer
Dominic Cussatt
Senior Policy Advisor
Mark J. Morrison
Deputy Associate Director of National
Intelligence for IC Information Assurance
Roger Caslow
Lead, C&A Transformation
National Institute of Standards and Technology
Committee on National Security Systems
Cita M. Furlani
Director, Information Technology Laboratory
Dave Wennergren
Acting Chair, CNSS
William C. Barker
Cyber Security Advisor, Information Technology Laboratory
Eustace D. King
CNSS Subcommittee Co-Chair (DoD)
Donna Dodson
Chief, Computer Security Division
Peter Gouldmann
CNSS Subcommittee Co-Chair (DoS)
Ron Ross
FISMA Implementation Project Leader
Joint Task Force Transformation Initiative Interagency Working Group
Ron Ross
NIST, JTF Leader
Gary Stoneburner
Johns Hopkins APL
Terry Sherald
Department of Defense
Kelley Dempsey
NIST
Patricia Toth
NIST
Esten Porter
The MITRE Corporation
Peter Gouldmann
Department of State
Arnold Johnson
NIST
Bennett Hodge
Booz Allen Hamilton
Karen Quigg
The MITRE Corporation
Jonathan Chiu
Booz Allen Hamilton
Christian Enloe
NIST
In addition to the above acknowledgments, a special note of thanks goes to Peggy Himes and
Elizabeth Lennon of NIST for their superb technical editing and administrative support. The
authors also wish to recognize Jennifer Fabius Greene, James Govekar, Terrance Hazelwood,
Austin Hershey, Laurie Hestor, Jason Mackanick, Timothy Potter, Jennifer Puma, Matthew
Scholl, Julie Trei, Gail Tryon, Ricki Vanetesse, Cynthia Whitmer, and Peter Williams for their
exceptional contributions in helping to improve the content of the publication. And finally, the
authors gratefully acknowledge and appreciate the significant contributions from individuals and
organizations in the public and private sectors, nationally and internationally, whose thoughtful
and constructive comments improved the overall quality and usefulness of this publication.
PAGE v
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
DEVELOPING COMMON INFORMATION SECURITY FOUNDATIONS
COLLABORATION AMONG PUBLIC AND PRIVATE SECTOR ENTITIES
In developing standards and guidelines required by FISMA, NIST consults with other federal agencies
and offices as well as the private sector to improve information security, avoid unnecessary and costly
duplication of effort, and ensure that NIST publications are complementary with the standards and
guidelines employed for the protection of national security systems. In addition to its comprehensive
public review and vetting process, NIST is collaborating with the Office of the Director of National
Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security
Systems (CNSS) to establish a common foundation for information security across the federal
government. A common foundation for information security will provide the Intelligence, Defense,
and Civil sectors of the federal government and their contractors, more uniform and consistent ways to
manage the risk to organizational operations and assets, individuals, other organizations, and the
Nation that results from the operation and use of information systems. A common foundation for
information security will also provide a strong basis for reciprocal acceptance of security authorization
decisions and facilitate information sharing. NIST is also working with public and private sector
entities to establish specific mappings and relationships between the security standards and guidelines
developed by NIST and the International Organization for Standardization and International
Electrotechnical Commission (ISO/IEC) 27001, Information Security Management System (ISMS).
PAGE vi
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Table of Contents
CHAPTER ONE INTRODUCTION ............................................................................................ 1
1.1
1.2
1.3
1.4
PURPOSE AND APPLICABILITY ..................................................................................................
TARGET AUDIENCE..................................................................................................................
RELATED PUBLICATIONS AND ASSESSMENT PROCESSES ...........................................................
ORGANIZATION OF THIS SPECIAL PUBLICATION ..........................................................................
1
3
4
5
CHAPTER TWO THE FUNDAMENTALS ................................................................................... 6
2.1
2.2
2.3
2.4
ASSESSMENTS WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE .................................................
STRATEGY FOR CONDUCTING SECURITY CONTROL ASSESSMENTS .............................................
BUILDING AN EFFECTIVE ASSURANCE CASE ..............................................................................
ASSESSMENT PROCEDURES ....................................................................................................
6
7
8
9
CHAPTER THREE THE PROCESS........................................................................................ 13
3.1
3.2
3.3
3.4
PREPARING FOR SECURITY CONTROL ASSESSMENTS ..............................................................
DEVELOPING SECURITY ASSESSMENT PLANS ..........................................................................
CONDUCTING SECURITY CONTROL ASSESSMENTS ..................................................................
ANALYZING SECURITY ASSESSMENT REPORT RESULTS............................................................
13
15
22
24
APPENDIX A REFERENCES.............................................................................................. A-1
................................................................................................. B-1
ACRONYMS ................................................................................................. C-1
ASSESSMENT METHOD DESCRIPTIONS ......................................................... D-1
PENETRATION TESTING ............................................................................... E-1
ASSESSMENT PROCEDURE CATALOG ............................................................F-1
SECURITY ASSESSMENT REPORTS ............................................................... G-1
ASSESSMENT CASES ................................................................................... H-1
APPENDIX B GLOSSARY
APPENDIX C
APPENDIX D
APPENDIX E
APPENDIX F
APPENDIX G
APPENDIX H
PAGE vii
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Prologue
“…Through the process of risk management, leaders must consider risk to U.S. interests from
adversaries using cyberspace to their advantage and from our own efforts to employ the global
nature of cyberspace to achieve objectives in military, intelligence, and business operations… “
“…For operational plans development, the combination of threats, vulnerabilities, and impacts
must be evaluated in order to identify important trends and decide where effort should be applied
to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess,
coordinate, and deconflict all cyberspace operations…”
“…Leaders at all levels are accountable for ensuring readiness and security to the same degree
as in any other domain…"
-- THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS
OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE
PAGE viii
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Preface
Security control assessments are not about checklists, simple pass-fail results, or generating
paperwork to pass inspections or audits—rather, security controls assessments are the principal
vehicle used to verify that the implementers and operators of information systems are meeting
their stated security goals and objectives. Special Publication 800-53A, Guide for Assessing the
Security Controls in Federal Information Systems and Organizations, is written to facilitate
security control assessments conducted within an effective risk management framework. The
assessment results provide organizational officials with:
•
Evidence about the effectiveness of security controls in organizational information systems;
•
An indication of the quality of the risk management processes employed within the
organization; and
•
Information about the strengths and weaknesses of information systems which are supporting
organizational missions and business functions in a global environment of sophisticated and
changing threats.
The findings produced by assessors are used to determine the overall effectiveness of the security
controls associated with an information system (including system-specific, common, and hybrid
controls) and to provide credible and meaningful inputs to the organization’s risk management
process. A well-executed assessment helps to: (i) determine the validity of the security controls
contained in the security plan and subsequently employed in the information system and its
environment of operation; and (ii) facilitate a cost-effective approach to correcting weaknesses or
deficiencies in the system in an orderly and disciplined manner consistent with organizational
mission/business needs.
Special Publication 800-53A is a companion guideline to Special Publication 800-53,
Recommended Security Controls for Federal Information Systems and Organizations. Each
publication provides guidance for implementing specific steps in the Risk Management
Framework (RMF).5 Special Publication 800-53 covers Step 2 in the RMF, security control
selection (i.e., determining what security controls are needed to manage risks to organizational
operations and assets, individuals, other organizations, and the Nation). Special Publication 80053A covers RMF Step 4, security control assessment, and RMF Step 6, continuous monitoring,
and provides guidance on the security assessment process. This guidance includes how to build
effective security assessment plans and how to analyze and manage assessment results.
Special Publication 800-53A allows organizations to tailor and supplement the basic assessment
procedures provided. The concepts of tailoring and supplementation used in this document are
similar to the concepts described in Special Publication 800-53. Tailoring involves scoping the
assessment procedures to more closely match the characteristics of the information system and its
environment of operation. The tailoring process gives organizations the flexibility needed to
avoid assessment approaches that are unnecessarily complex or costly while simultaneously
meeting the assessment requirements established by applying the fundamental concepts in the
RMF. Supplementation involves adding assessment procedures or assessment details to
adequately meet the risk management needs of the organization (e.g., adding organizationspecific details such as system/platform-specific information for selected security controls).
Supplementation decisions are left to the discretion of the organization in order to maximize
5
Special Publication 800-37 provides guidance on applying the RMF to federal information systems.
PAGE ix
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
flexibility in developing security assessment plans when applying the results of risk assessments
in determining the extent, rigor, and level of intensity of the assessments.
While flexibility continues to be an important factor in developing security assessment plans,
consistency of assessments is also an important consideration. A major design objective for
Special Publication 800-53A is to provide an assessment framework and initial starting point for
assessment procedures that are essential for achieving such consistency. In addition to the
assessment framework and initial starting point for assessment procedures, NIST initiated an
Assessment Case Development Project.6 The purpose of the project is fourfold: (i) to actively
engage experienced assessors from multiple organizations in the development of a representative
set of assessment cases corresponding to the assessment procedures in Special Publication 80053A; (ii) to provide organizations and the assessors supporting those organizations with an
exemplary set of assessment cases for each assessment procedure in the catalog of procedures in
this publication; (iii) to provide a vehicle for ongoing community-wide review of the assessment
cases to promote continuous improvement in the assessment process for more consistent, costeffective security assessments of federal information systems; and (iv) to serve as a basis for
reciprocity among various communities of interest. The Assessment Case Development Project
is described in Appendix H.
In addition to the assessment case project supporting this publication, NIST also initiated the
Security Content Automation Protocol (SCAP) 7 project that supports and complements the
approach for achieving consistent, cost-effective security control assessments. The primary
purpose of the SCAP is to improve the automated application, verification, and reporting of
information technology product-specific security configuration settings, enabling organizations to
identify and reduce the vulnerabilities associated with products that are not configured properly.
As part of this initiative, an Open Checklist Interactive Language (OCIL)8 provides the capability
to express the determination statements in the assessment procedures in Appendix F in a
framework that will establish interoperability with the validated tool sets supporting SCAP.
6
An assessment case represents a worked example of an assessment procedure that provides specific actions that an
assessor might carry out during the assessment of a security control or control enhancement in an information system.
7
Special Publication 800-126 provides guidance on the technical specification of the SCAP. Additional details on the
SCAP initiative, as well as freely available SCAP reference data, can be found at http://nvd.nist.gov.
8
OCIL is a framework for expressing security checks that cannot be evaluated without some human interaction or
feedback. It is used to determine the state of a system by presenting one or more questionnaires to its intended users.
The language includes constructs for questions, instructions for guiding users towards an answer, responses to
questions, artifacts, and evaluation results.
PAGE x
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
CAUTIONARY NOTES
Organizations should carefully consider the potential impacts of employing the assessment
procedures defined in this Special Publication when assessing the security controls in
operational information systems. Certain assessment procedures, particularly those procedures
that directly impact the operation of hardware, software, or firmware components of an
information system, may inadvertently affect the routine processing, transmission, or storage of
information supporting organizational missions or business functions. For example, a critical
information system component may be taken offline for assessment purposes or a component
may suffer a fault or failure during the assessment process. Organizations should also take
necessary precautions during security assessment periods to ensure that organizational missions
and business functions continue to be supported by the information system and that any potential
impacts to operational effectiveness resulting from the assessment are considered in advance.
PAGE xi
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
CHAPTER ONE
INTRODUCTION
THE NEED TO ASSESS SECURITY CONTROL EFFECTIVENESS IN INFORMATION SYSTEMS
T
oday’s information systems9 are complex assemblages of technology (i.e., hardware,
software, and firmware), processes, and people, working together to provide organizations
with the capability to process, store, and transmit information in a timely manner to
support various missions and business functions. The degree to which organizations have come
to depend upon these information systems to conduct routine, important, and critical missions and
business functions means that the protection of the underlying systems is paramount to the
success of the organization. The selection of appropriate security controls for an information
system is an important task that can have major implications on the operations and assets of an
organization as well as the welfare of individuals.10 Security controls are the management,
operational, and technical safeguards or countermeasures prescribed for an information system to
protect the confidentiality, integrity (including non-repudiation and authenticity), and availability
of the system and its information. Once employed within an information system, security
controls are assessed to provide the information necessary to determine their overall
effectiveness; that is, the extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting the security requirements
for the system. Understanding the overall effectiveness of the security controls implemented in
the information system and its environment of operation is essential in determining the risk to the
organization’s operations and assets, to individuals, to other organizations, and to the Nation
resulting from the use of the system.
1.1 PURPOSE AND APPLICABILITY
The purpose of this publication is to provide guidelines for building effective security assessment
plans and a comprehensive set of procedures for assessing the effectiveness of security controls
employed in information systems supporting the executive agencies of the federal government.
The guidelines apply to the security controls defined in Special Publication 800-53 (as amended),
Recommended Security Controls for Federal Information Systems and Organizations. The
guidelines have been developed to help achieve more secure information systems within the
federal government by:
•
Enabling more consistent, comparable, and repeatable assessments of security controls with
reproducible results;
•
Facilitating more cost-effective assessments of security controls contributing to the
determination of overall control effectiveness;
•
Promoting a better understanding of the risks to organizational operations, organizational
assets, individuals, other organizations, and the Nation resulting from the operation and use
of federal information systems; and
9
An information system is a discrete set of information resources organized expressly for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of information.
10
When selecting security controls for an information system, the organization also considers potential impacts to other
organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives,
potential national-level impacts.
CHAPTER 1
PAGE 1
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
•
Creating more complete, reliable, and trustworthy information for organizational officials to
support risk management decisions, reciprocity of assessment results, information sharing,
and FISMA compliance.
This publication satisfies the requirements of the Federal Information Security Management Act
(FISMA) and meets or exceeds the information security requirements established for executive
agencies11 by the Office of Management and Budget (OMB) in Circular A-130, Appendix III,
Security of Federal Automated Information Resources. The guidelines in this publication are
applicable to all federal information systems other than those systems designated as national
security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly
developed from a technical perspective to complement similar guidelines for national security
systems and may be used for such systems with the approval of appropriate federal officials
exercising policy authority over such systems. State, local, and tribal governments, as well as
private sector organizations are encouraged to consider using these guidelines, as appropriate.12
Organizations use this publication in conjunction with an approved security plan in developing a
viable security assessment plan for producing and compiling the information necessary to
determine the effectiveness of the security controls employed in the information system. This
publication has been developed with the intention of enabling organizations to tailor and
supplement the basic assessment procedures provided. The assessment procedures are used as a
starting point for and as input to the security assessment plan. In developing effective security
assessment plans, organizations take into consideration existing information about the security
controls to be assessed (e.g., results from organizational assessments of risk, platform-specific
dependencies in the hardware, software, or firmware, and any assessment procedures needed as a
result of organization-specific controls not included in Special Publication 800-53).13
The selection of appropriate assessment procedures and the rigor, intensity, and scope of the
assessment depend on three factors:
•
The security categorization of the information system;14
•
The assurance requirements that the organization intends to meet in determining the overall
effectiveness of the security controls; and
11
An executive agency is: (i) an executive department specified in 5 U.S.C., Section 101; (ii) a military department
specified in 5 U.S.C., Section 102; (iii) an independent establishment as defined in 5 U.S.C., Section 104(1); and (iv) a
wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91. In this publication, the
term executive agency is synonymous with the term federal agency.
12
In accordance with the provisions of FISMA and OMB policy, whenever the interconnection of federal information
systems to information systems operated by state/local/tribal governments, contractors, or grantees involves the
processing, storage, or transmission of federal information, the information security standards and guidelines described
in this publication apply. Specific information security requirements and the terms and conditions of the system
interconnections, are expressed in the Memorandums of Understanding and Interconnection Security Agreements
established by participating organizations.
13
For example, detailed test scripts may need to be developed for the specific operating system, network component,
middleware, or application employed within the information system to adequately assess certain characteristics of a
particular security control. Such test scripts are at a lower level of detail than provided by the assessment procedures
contained in Appendix F (Assessment Procedures Catalog) and are therefore beyond the scope of this publication.
Additional details for assessments are provided in the supporting assessment cases described in Appendix H.
14
For national security systems, security categorization is accomplished in accordance with CNSS Instruction 1253.
For other than national security systems, security categorization is accomplished in accordance with FIPS 199 and
Special Publication 800-60.
CHAPTER 1
PAGE 2
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
•
The selection of security controls from Special Publication 800-53 as identified in the
approved security plan.15
The assessment process is an information-gathering activity, not a security-producing activity.
Organizations determine the most cost-effective implementation of this key element in the
organization’s information security program by applying the results of risk assessments,
considering the maturity and quality level of the organization’s risk management processes, and
taking advantage of the flexibility in the concepts described in this publication. The use of
Special Publication 800-53A as a starting point in the process of defining procedures for
assessing the security controls in information systems and organizations, promotes a consistent
level of security and offers the needed flexibility to customize the assessment based on
organizational policies and requirements, known threat and vulnerability information, operational
considerations, information system and platform dependencies, and tolerance for risk.16 The
information produced during security control assessments can be used by an organization to:
•
Identify potential problems or shortfalls in the organization’s implementation of the Risk
Management Framework;
•
Identify information system weaknesses and deficiencies;
•
Prioritize risk mitigation decisions and associated risk mitigation activities;
•
Confirm that identified weaknesses and deficiencies in the information system have been
addressed;
•
Support continuous monitoring activities and information security situational awareness;
•
Facilitate security authorization decisions; and
•
Inform budgetary decisions and the capital investment process.
Organizations are not expected to employ all of the assessment methods and assessment objects
contained within the assessment procedures identified in this publication for the associated
security controls deployed within or inherited by organizational information systems. Rather,
organizations have the inherent flexibility to determine the level of effort needed for a particular
assessment (e.g., which assessment methods and assessment objects are deemed to be the most
useful in obtaining the desired results). This determination is made on the basis of what will
accomplish the assessment objectives in the most cost-effective manner and with sufficient
confidence to support the subsequent determination of the resulting mission or business risk.
1.2 TARGET AUDIENCE
This publication is intended to serve a diverse group of information system and information
security professionals including:
•
Individuals with information system development and integration responsibilities (e.g.,
program managers, information technology product developers, information system
developers, systems integrators, information security architects);
15
The security controls for the information system are documented in the security plan after the initial selection,
tailoring, and supplementation of the controls as described in NIST Special Publication 800-53 and CNSS Instruction
1253. The security plan is approved by the authorizing official with recommendations from other appropriate
organizational officials prior to the start of the security control assessment.
16
In this publication, the term risk is used to mean risk to organizational operations (i.e., mission, functions, image, and
reputation), organizational assets, individuals, other organizations, and the Nation.
CHAPTER 1
PAGE 3
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
•
Individuals with information security assessment and continuous monitoring responsibilities
(e.g., system evaluators/testers, penetration testers, security control assessors, independent
verifiers and validators, auditors, information system owners, common control providers);
•
Individuals with information system and security management and oversight responsibilities
(e.g., authorizing officials, senior information security officers,17 information security
managers); and
•
Individuals with information security implementation and operational responsibilities (e.g.,
information system owners, common control providers, information owners/stewards,
mission owners, systems administrators, information system security officers).
1.3 RELATED PUBLICATIONS AND ASSESSMENT PROCESSES
Special Publication 800-53A is designed to support Special Publication 800-37, Guide for
Applying the Risk Management Framework to Federal Information Systems: A Security Life
Cycle Approach. In particular, the assessment procedures contained in this publication and the
guidelines provided for developing security assessment plans for organizational information
systems directly support the security control assessment and continuous monitoring activities that
are integral to the risk management process. This includes providing near real-time information
to organizational officials regarding the ongoing security state of their information systems.
Organizations are encouraged, whenever possible, to take advantage of the assessment results and
associated assessment-related documentation and evidence available on information system
components from previous assessments including independent third-party testing, evaluation, and
validation.18 Product testing, evaluation, and validation may be conducted on cryptographic
modules and general-purpose information technology products such as operating systems,
database systems, firewalls, intrusion detection devices, Web browsers, Web applications, smart
cards, biometrics devices, personal identity verification devices, network devices, and hardware
platforms using national and international standards. If an information system component
product is identified as providing support for the implementation of a particular security control
in Special Publication 800-53, then evidence produced during the product testing, evaluation, and
validation processes (e.g., security specifications, analyses and test results, validation reports, and
validation certificates)19 is used to the extent that it is applicable. This evidence is combined with
the assessment-related evidence obtained from the application of the assessment procedures in
this publication, to cost-effectively produce the information necessary to determine whether the
security controls are effective in their application.
17
At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may
also refer to this position as the Chief Information Security Officer.
18
Assessment results can be obtained from many activities that occur routinely during the system development life
cycle. For example, assessment results are produced during the testing and evaluation of new information system
components during system upgrades or system integration activities. Organizations can take advantage of previous
assessment results whenever possible, to reduce the overall cost of assessments and to make the assessment process
more efficient.
19
Organizations review the available information from component information technology products to determine: (i)
what security controls are implemented by the product; (ii) if those security controls meet the intended control
requirements of the information system under assessment; (iii) if the configuration of the product and the environment
in which the product operates are consistent with the environmental and product configuration stated by the vendor
and/or developer; and (iv) if the assurance requirements stated in the developer/vendor specification satisfy the
assurance requirements for assessing those controls. Meeting the above criteria provides a sound rationale that the
product is suitable and meets the intended security control requirements of the information system under assessment.
CHAPTER 1
PAGE 4
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
1.4 ORGANIZATION OF THIS SPECIAL PUBLICATION
The remainder of this special publication is organized as follows:
•
Chapter Two describes the fundamental concepts associated with security control
assessments including: (i) the integration of assessments into the system development life
cycle; (ii) the importance of an organization-wide strategy for conducting security control
assessments; (iii) the development of effective assurance cases to help increase the grounds
for confidence in the effectiveness of the security controls being assessed; and (iv) the format
and content of assessment procedures.
•
Chapter Three describes the process of assessing the security controls in organizational
information systems and their environments of operation including: (i) the activities carried
out by organizations and assessors to prepare for security control assessments; (ii) the
development of security assessment plans; (iii) the conduct of security control assessments
and the analysis, documentation, and reporting of assessment results; and (iv) the postassessment report analysis and follow-on activities carried out by organizations.
•
Supporting appendices provide detailed assessment-related information including: (i)
general references; (ii) definitions and terms; (iii) acronyms; (iv) a description of assessment
methods; (v) penetration testing guidelines; (vi) a master catalog of assessment procedures
that can be used to develop plans for assessing security controls; (vii) content of security
assessment reports; and (viii) the definition, format, and use of assessment cases.
CHAPTER 1
PAGE 5
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
CHAPTER TWO
THE FUNDAMENTALS
BASIC CONCEPTS ASSOCIATED WITH SECURITY CONTROL ASSESSMENTS
T
his chapter describes the basic concepts associated with assessing the security controls in
organizational information systems including: (i) the integration of assessments into the
system development life cycle; (ii) the importance of an organization-wide strategy for
conducting security control assessments; (iii) the development of effective assurance cases to help
increase the grounds for confidence in the effectiveness of the security controls; and (iv) the
format and content of assessment procedures.
2.1 ASSESSMENTS WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE
Security assessments can be effectively carried out at various stages in the system development
life cycle20 to increase the grounds for confidence that the security controls employed within or
inherited by an information system are effective in their application. This publication provides a
comprehensive set of assessment procedures to support security assessment activities throughout
the system development life cycle. For example, security assessments are routinely conducted by
information system developers and system integrators during the development/acquisition and
implementation phases of the life cycle to help ensure that the required security controls for the
system are properly designed and developed, correctly implemented, and consistent with the
established organizational information security architecture. Assessment activities in the initial
system development life cycle phases include, for example, design and code reviews, application
scanning, and regression testing. Security weaknesses and deficiencies identified early in the
system development life cycle can be resolved more quickly and in a much more cost-effective
manner before proceeding to subsequent phases in the life cycle. The objective is to identify the
information security architecture and security controls up front and to ensure that the system
design and testing validate the implementation of these controls. The assessment procedures
described in Appendix F can support these types of assessments carried out during the initial
stages of the system development life cycle.
Security assessments are also routinely conducted by information system owners, common
control providers, information system security officers, independent assessors, auditors, and
Inspectors General during the operations and maintenance phase of the life cycle to ensure that
security controls are effective and continue to be effective in the operational environment where
the system is deployed. For example, organizations assess all security controls employed within
and inherited by the information system during the initial security authorization. Subsequent to
the initial authorization, the organization assesses the security controls (including management,
operational, and technical controls) on an ongoing basis. The frequency of such monitoring is
based on the continuous monitoring strategy developed by the information system owner or
common control provider and approved by the authorizing official.21 Finally, at the end of the life
cycle, security assessments are conducted as part of ensuring that important organizational
information is purged from the information system prior to disposal.
20
There are typically five phases in a generic system development life cycle: (i) initiation; (ii) development/acquisition;
(iii) implementation; (iv) operations and maintenance; and (v) disposition (disposal).
21
Special Publication 800-37 provides guidance on the continuous monitoring of security controls.
CHAPTER 2
PAGE 6
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
2.2 STRATEGY FOR CONDUCTING SECURITY CONTROL ASSESSMENTS
Organizations are encouraged to develop a broad-based, organization-wide strategy for
conducting security assessments, facilitating more cost-effective and consistent assessments
across the inventory of information systems. An organization-wide strategy begins by applying
the initial steps of the Risk Management Framework to all information systems within the
organization, with an organizational view of the security categorization process and the security
control selection process (including the identification of common controls). Categorizing
information systems as an organization-wide activity taking into consideration the enterprise
architecture and the information security architecture helps to ensure that the individual systems
are categorized based on the mission and business objectives of the organization. Maximizing the
number of common controls employed within an organization: (i) significantly reduces the cost of
development, implementation, and assessment of security controls; (ii) allows organizations to
centralize security control assessments and to amortize the cost of those assessments across all
information systems organization-wide; and (iii) increases overall security control consistency.
An organization-wide approach to identifying common controls early in the application of the
RMF facilitates a more global strategy for assessing those controls and sharing essential
assessment results with information system owners and authorizing officials. The sharing of
assessment results among key organizational officials across information system boundaries has
many important benefits including:
•
Providing the capability to review assessment results for all information systems and to make
organization-wide, mission/business-related decisions on risk mitigation activities according
to organizational priorities, the security categorization of the information systems supporting
the organization, and risk assessments;
•
Providing a more global view of systemic weaknesses and deficiencies occurring in
information systems across the organization;
•
Providing an opportunity to develop organization-wide solutions to information security
problems; and
•
Increasing the organization’s knowledge base regarding threats, vulnerabilities, and strategies
for more cost-effective solutions to common information security problems.
Organizations can also promote a more focused and cost-effective assessment process by: (i)
developing more specific assessment procedures that are tailored for their specific organizational
environments of operation and requirements (instead of relegating these tasks to each security
control assessor or assessment team); and (ii) providing organization-wide tools, templates, and
techniques to support more consistent assessments throughout the organization.
While the conduct of security control assessments is the primary responsibility of information
system owners and common control providers with oversight by their respective authorizing
officials, there is also significant involvement in the assessment process by other parties within
the organization who have a vested interest in the outcome of assessments. Other interested
parties include, for example, mission/business owners, information owners/stewards (when those
roles are filled by someone other than the information system owner), information security
officials, and the risk executive (function). It is imperative that information system owners and
common control providers coordinate with the other parties in the organization having an interest
in security control assessments to help ensure that the organization’s core missions and business
functions are adequately addressed in the selection of security controls to be assessed.
CHAPTER 2
PAGE 7
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
2.3 BUILDING AN EFFECTIVE ASSURANCE CASE
Building an effective assurance case22 for security control effectiveness is a process that involves:
(i) compiling evidence from a variety of activities conducted during the system development life
cycle that the controls employed in the information system are implemented correctly, operating
as intended, and producing the desired outcome with respect to meeting the security requirements
of the system; and (ii) presenting this evidence in a manner that decision makers are able to use
effectively in making risk-based decisions about the operation or use of the system. The evidence
described above comes from the implementation of the security controls in the information
system and inherited by the system (i.e., common controls) and from the assessments of that
implementation. Ideally, the assessor is building on previously developed materials that started
with the specification of the organization’s information security needs and was further developed
during the design, development, and implementation of the information system. These materials,
developed while implementing security throughout the life cycle of the information system,
provide the initial evidence for an assurance case.
Assessors obtain the required evidence during the assessment process to allow the appropriate
organizational officials to make objective determinations about the effectiveness of the security
controls and the overall security state of the information system. The assessment evidence
needed to make such determinations can be obtained from a variety of sources including, but not
limited to, information technology product and system assessments. Product assessments (also
known as product testing, evaluation, and validation) are typically conducted by independent,
third-party testing organizations. These assessments examine the security functions of products
and established configuration settings. Assessments can be conducted against industry, national,
or international information security standards as well as developer/vendor claims. Since many
information technology products are assessed by commercial testing organizations and then
subsequently deployed in millions of information systems, these types of assessments can be
carried out at a greater level of depth and provide deeper insights into the security capabilities of
the particular products.
System assessments are typically conducted by information systems developers, systems
integrators, information system owners, common control providers, assessors, auditors, Inspectors
General, and the information security staffs of organizations. The assessors or assessment teams
bring together available information about the information system such as the results from
individual component product assessments, if available, and conduct additional system-level
assessments using a variety of methods and techniques. System assessments are used to compile
and evaluate the evidence needed by organizational officials to determine how effective the
security controls employed in the information system are likely to be in mitigating risks to
organizational operations and assets, to individuals, to other organizations, and to the Nation.
The results from assessments conducted using information system-specific and organizationspecific assessment procedures derived from the guidelines in this publication contribute to
compiling the necessary evidence to determine security control effectiveness in accordance with
the assurance requirements documented in the security plan.
22
An assurance case is a body of evidence organized into an argument demonstrating that some claim about an
information system holds (i.e., is assured). An assurance case is needed when it is important to show that a system
exhibits some complex property such as safety, security, or reliability. Additional information can be obtained at
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/assurance/643.html.
CHAPTER 2
PAGE 8
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
2.4 ASSESSMENT PROCEDURES
An assessment procedure consists of a set of assessment objectives, each with an associated set of
potential assessment methods and assessment objects. An assessment objective includes a set of
determination statements related to the security control under assessment. The determination
statements are linked to the content of the security control (i.e., the security control functionality)
to ensure traceability of assessment results back to the fundamental control requirements. The
application of an assessment procedure to a security control produces assessment findings. These
assessment findings reflect, or are subsequently used, to help determine the overall effectiveness
of the security control.
Assessment objects identify the specific items being assessed and include specifications,
mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g.,
policies, procedures, plans, system security requirements, functional specifications, and
architectural designs) associated with an information system. Mechanisms are the specific
hardware, software, or firmware safeguards and countermeasures employed within an information
system.23 Activities are the specific protection-related pursuits or actions supporting an
information system that involve people (e.g., conducting system backup operations, monitoring
network traffic, exercising a contingency plan). Individuals, or groups of individuals, are people
applying the specifications, mechanisms, or activities described above.
Assessment methods define the nature of the assessor actions and include examine, interview, and
test. The examine method is the process of reviewing, inspecting, observing, studying, or
analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The
purpose of the examine method is to facilitate assessor understanding, achieve clarification, or
obtain evidence. The interview method is the process of holding discussions with individuals or
groups of individuals within an organization to once again, facilitate assessor understanding,
achieve clarification, or obtain evidence. The test method is the process of exercising one or
more assessment objects (i.e., activities or mechanisms) under specified conditions to compare
actual with expected behavior. In all three assessment methods, the results are used in making
specific determinations called for in the determination statements and thereby achieving the
objectives for the assessment procedure. A complete description of assessment methods and
assessment objects is provided in Appendix D.
The assessment methods have a set of associated attributes, depth and coverage, which help
define the level of effort for the assessment. These attributes are hierarchical in nature, providing
the means to define the rigor and scope of the assessment for the increased assurances that may
be needed for some information systems. The depth attribute addresses the rigor of and level of
detail in the examination, interview, and testing processes. Values for the depth attribute include
basic, focused, and comprehensive. The coverage attribute addresses the scope or breadth of the
examination, interview, and testing processes including the number and type of specifications,
mechanisms, and activities to be examined or tested and the number and types of individuals to
be interviewed. Similar to the depth attribute, values for the coverage attribute include basic,
focused, and comprehensive. The appropriate depth and coverage attribute values for a particular
assessment method are based on the assurance requirements specified by the organization.24 As
assurance requirements increase with regard to the development, implementation, and operation
23
Mechanisms also include physical protection devices associated with an information system (e.g., locks, keypads,
security cameras, fire protection devices, fireproof safes, etc.).
24
For other than national security systems, organizations meet minimum assurance requirements specified in Special
Publication 800-53, Appendix E.
CHAPTER 2
PAGE 9
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
of security controls within or inherited by the information system, the rigor and scope of the
assessment activities (as reflected in the selection of assessment methods and objects and the
assignment of depth and coverage attribute values), tend to increase as well. Appendix D
provides a detailed description of assessment method attributes and attribute values.
While flexibility continues to be an important factor in developing security assessment plans,
consistency of assessments is also an important consideration. A major design objective for
Special Publication 800-53A is to provide an assessment framework and initial starting point for
assessment procedures that are essential for achieving such consistency. In addition to the
assessment framework and initial starting point for assessment procedures, Appendix H describes
the Assessment Case Development Project. The purpose of this project is fourfold: (i) to actively
engage experienced assessors in the development of a representative set of assessment cases
corresponding to the assessment procedures in Appendix F; (ii) to provide organizations and the
assessors supporting those organizations with an exemplary set of assessment cases for each
assessment procedure in the catalog of procedures in Appendix F; (iii) to provide a vehicle for
ongoing community-wide review of the assessment cases to promote continuous improvement in
the assessment process for more consistent, cost-effective security assessments of federal
information systems; and (iv) to serve as a basis of reciprocity among various communities of
interest. Appendix H contains several examples of assessment cases.
AN EXAMPLE ASSESSMENT PROCEDURE
SECURITY CONTROL
CP-2
CONTINGENCY PLAN
Control:
The organization:
a. Develops a contingency plan for the information system that:
- Identifies essential missions and business functions and associated contingency
requirements;
- Provides recovery objectives, restoration priorities, and metrics;
- Addresses contingency roles, responsibilities, assigned individuals with contact
information;
- Addresses maintaining essential missions and business functions despite an
information system disruption, compromise, or failure;
- Addresses eventual, full information system restoration without deterioration of the
security measures originally planned and implemented; and
- Is reviewed and approved by designated officials within the organization;
b. Distributes copies of the contingency plan to [Assignment: organization-defined list of key
contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organizationdefined frequency];
e. Revises the contingency plan to address changes to the organization, information system,
or environment of operation and problems encountered during contingency plan
implementation, execution, or testing; and
f. Communicates contingency plan changes to [Assignment: organization-defined list of key
contingency personnel (identified by name and/or by role) and organizational elements].
CHAPTER 2
PAGE 10
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
SECURITY CONTROL
CP-2
CONTINGENCY PLAN
Supplemental
Guidance:
Contingency planning for information systems is part of an overall organizational
program for achieving continuity of operations for mission/business operations.
Contingency planning addresses both information system restoration and implementation
of alternative mission/business processes when systems are compromised. Information
system recovery objectives are consistent with applicable laws, Executive Orders,
directives, policies, standards, or regulations. In addition to information system
availability, contingency plans also address other security-related events resulting in a
reduction in mission/business effectiveness, such as malicious attacks compromising the
confidentiality or integrity of the information system. Examples of actions to call out in
contingency plans include, for example, graceful degradation, information system
shutdown, fall back to a manual mode, alternate information flows, or operating in a
mode that is reserved solely for when the system is under attack. Related controls: AC14, CP-6, CP-7, CP-8, IR-4, PM-8, PM-11.
The first assessment objective for CP-2 is derived from the basic control statement. Potential
assessment methods and objects are added to the assessment procedure.
ASSESSMENT PROCEDURE
CP-2.1
ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a contingency plan for the information system that:
- identifies essential missions and business functions and associated contingency
requirements;
- provides recovery objectives, restoration priorities, and metrics;
- addresses contingency roles, responsibilities, assigned individuals with contact
information;
- addresses maintaining essential missions and business functions despite an
information system disruption, compromise, or failure; and
- addresses eventual, full information system restoration without deterioration of
the security measures originally planned and implemented; and
- is reviewed and approved by designated officials within the organization;
(ii) the organization defines key contingency personnel (identified by name and/or by
role) and organizational elements designated to receive copies of the contingency
plan; and
(iii) the organization distributes copies of the contingency plan to organization-defined
key contingency personnel and organizational elements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations
for the information system; contingency plan; security plan; other relevant documents or
25
records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan
implementation responsibilities].
25
Although not explicitly noted with each identified assessment method in the assessment procedure format in
Appendix F, the attribute values of depth and coverage described in Appendix D are assigned by the organization and
applied by the assessor/assessment team in the execution of the assessment method against an assessment object.
CHAPTER 2
PAGE 11
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
In a similar manner, the second assessment objective and potential assessment methods and
objects for CP-2 are established.
ASSESSMENT PROCEDURE
CP-2.2
Determine if:
(i) the organization coordinates contingency planning activities with incident handling
activities:
(ii) the organization defines the frequency of contingency plan reviews;
(iii) the organization reviews the contingency plan for the information system in
accordance with the organization-defined frequency;
(iv) the organization revises the contingency plan to address changes to the
organization, information system, or environment of operation and problems
encountered during contingency plan implementation, execution or testing; and
(v) the organization communicates contingency plan changes to the key contingency
personnel and organizational elements as identified in CP-2.1 (ii).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations
for the information system; contingency plan; security plan; other relevant documents or
records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan
implementation responsibilities; organizational personnel with incident handling
responsibilities].
The assessment objectives within a particular assessment procedure are numbered sequentially
(e.g., CP-2.1,…, CP-2.n). If the security control has any enhancements, assessment objectives are
developed for each enhancement using the same process as for the base control. The resulting
assessment objectives within the assessment procedure are numbered sequentially (e.g., CP-2(1).1
indicating the first assessment objective for the first enhancement for security control CP-2).
CHAPTER 2
PAGE 12
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
CHAPTER THREE
THE PROCESS
CONDUCTING EFFECTIVE SECURITY CONTROL ASSESSMENTS
T
his chapter describes the process of assessing the security controls in organizational
information systems including: (i) the activities carried out by organizations and assessors
to prepare for security control assessments; (ii) the development of security assessment
plans; (iii) the conduct of security control assessments and the analysis, documentation, and
reporting of assessment results; and (iv) post-assessment report analysis and follow-on activities
carried out by organizations.
3.1 PREPARING FOR SECURITY CONTROL ASSESSMENTS
Conducting security control assessments in today’s complex environment of sophisticated
information technology infrastructures and high-visibility, mission-critical applications can be
difficult, challenging, and resource-intensive. Success requires the cooperation and collaboration
among all parties having a vested interest in the organization’s information security posture,
including information system owners, common control providers, authorizing officials, chief
information officers, senior information security officers, chief executive officers/heads of
agencies, Inspectors General, and the OMB. Establishing an appropriate set of expectations
before, during, and after the assessment is paramount to achieving an acceptable outcome—that
is, producing information necessary to help the authorizing official make a credible, risk-based
decision on whether to place the information system into operation or continue its operation.
Thorough preparation by the organization and the assessors is an important aspect of conducting
effective security control assessments. Preparatory activities address a range of issues relating to
the cost, schedule, and performance of the assessment. From the organizational perspective,
preparing for a security control assessment includes the following key activities:
•
Ensuring that appropriate policies covering security control assessments are in place and
understood by all affected organizational elements;
•
Ensuring that all steps in the RMF prior to the security control assessment step, have been
successfully completed and received appropriate management oversight;26
•
Ensuring that security controls identified as common controls (and the common portion of
hybrid controls) have been assigned to appropriate organizational entities (i.e., common
control providers) for development and implementation;27
•
Establishing the objective and scope of the security control assessment (i.e., the purpose of
the assessment and what is being assessed);
26
Conducting security control assessments in parallel with the development/acquisition and implementation phases of
the life cycle permits the identification of weaknesses and deficiencies early and provides the most cost-effective
method for initiating corrective actions. Issues found during these assessments can be referred to authorizing officials
for early resolution, as appropriate. The results of security control assessments carried out during system development
and implementation can also be used (consistent with reuse criteria) during the security authorization process to avoid
system fielding delays or costly repetition of assessments.
27
Security control assessments include common controls that are the responsibility of organizational entities other than
the information system owner inheriting the controls or hybrid controls where there is shared responsibility among the
system owner and designated organizational entities.
CHAPTER 3
PAGE 13
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
•
Notifying key organizational officials of the impending security control assessment and
allocating necessary resources to carry out the assessment;
•
Establishing appropriate communication channels among organizational officials having an
interest in the security control assessment;28
•
Establishing time frames for completing the security control assessment and key milestone
decision points required by the organization to effectively manage the assessment;
•
Identifying and selecting a competent assessor/assessment team that will be responsible for
conducting the security control assessment, considering issues of assessor independence;
•
Collecting artifacts to provide to the assessor/assessment team (e.g., policies, procedures,
plans, specifications, designs, records, administrator/operator manuals, information system
documentation, interconnection agreements, previous assessment results); and
•
Establishing a mechanism between the organization and the assessor and/or assessment team
to minimize ambiguities or misunderstandings about security control implementation or
security control weaknesses/deficiencies identified during the assessment.
Security control assessors/assessment teams begin preparing for the assessment by:
•
Obtaining a general understanding of the organization’s operations (including mission,
functions, and business processes) and how the information system that is the subject of the
security control assessment supports those organizational operations;
•
Obtaining an understanding of the structure of the information system (i.e., system
architecture);
•
Obtaining a thorough understanding of the security controls being assessed (including
system-specific, hybrid, and common controls);
•
Identifying the organizational entities responsible for the development and implementation of
the common controls (or the common portion of hybrid controls) supporting the information
system;
•
Establishing appropriate organizational points of contact needed to carry out the security
control assessment;
•
Obtaining artifacts needed for the security control assessment (e.g., policies, procedures,
plans, specifications, designs, records, administrator/operator manuals, information system
documentation, interconnection agreements, previous assessment results);
•
Obtaining previous assessment results that may be appropriately reused for the security
control assessment (e.g., Inspector General reports, audits, vulnerability scans, physical
security inspections, prior assessments, developmental testing and evaluation, vendor flaw
remediation activities , ISO/IEC 15408 [Common Criteria] evaluations);
•
Meeting with appropriate organizational officials to ensure common understanding for
assessment objectives and the proposed rigor and scope of the assessment; and
•
Developing a security assessment plan.
28
Typically, these individuals include authorizing officials, information system owners, common control providers,
mission and information owners/stewards (if other than the information system owner), chief information officers,
senior information security officers, Inspectors General, information system security officers, users from organizations
that the information system supports, and assessors.
CHAPTER 3
PAGE 14
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
In preparation for the assessment of security controls, the necessary background information is
assembled and made available to the assessors or assessment team.29 To the extent necessary to
support the specific assessment, the organization identifies and arranges access to: (i) elements of
the organization responsible for developing, documenting, disseminating, reviewing, and
updating all security policies and associated procedures for implementing policy-compliant
controls; (ii) the security policies for the information system and any associated implementing
procedures; (iii) individuals or groups responsible for the development, implementation,
operation, and maintenance of security controls; (iv) any materials (e.g., security plans, records,
schedules, assessment reports, after-action reports, agreements, authorization packages)
associated with the implementation and operation of security controls; and (v) the objects to be
assessed.30 The availability of essential documentation as well as access to key organizational
personnel and the information system being assessed are paramount to a successful assessment of
the security controls.
Organizations consider both the technical expertise and level of independence required in
selecting security control assessors. Organizations ensure that security control assessors possess
the required skills and technical expertise to successfully carry out assessments of systemspecific, hybrid, and common controls. This includes knowledge of and experience with the
specific hardware, software, and firmware components employed by the organization. An
independent assessor is any individual or group capable of conducting an impartial assessment of
security controls employed within or inherited by an information system. Impartiality implies
that assessors are free from any perceived or actual conflicts of interest with respect to the
development, operation, and/or management of the information system or the determination of
security control effectiveness.31 The authorizing official or designated representative determines
the required level of independence for security control assessors based on the results of the
security categorization process for the information system and the ultimate risk to organizational
operations and assets, individuals, other organizations, and the Nation. The authorizing official
determines if the level of assessor independence is sufficient to provide confidence that the
assessment results produced are sound and can be used to make a risk-based decision on whether
to place the information system into operation or continue its operation. Independent security
control assessment services can be obtained from other elements within the organization or can be
contracted to a public or private sector entity outside of the organization. In special situations, for
example when the organization that owns the information system is small or the organizational
structure requires that the security control assessment be accomplished by individuals that are in
the developmental, operational, and/or management chain of the system owner, independence in
the assessment process can be achieved by ensuring that the assessment results are carefully
reviewed and analyzed by an independent team of experts to validate the completeness,
consistency, and veracity of the results.32
29
Information system owners and organizational entities developing, implementing, and/or administering common
controls (i.e., common control providers) are responsible for providing needed information to assessors.
30
In situations where there are multiple security assessments ongoing or planned within an organization, access to
organizational elements, individuals, and artifacts supporting the assessments is centrally managed by the organization
to ensure a cost-effective use of time and resources.
31
Contracted assessment services are considered independent if the information system owner is not directly involved
in the contracting process or cannot unduly influence the independence of the assessor(s) conducting the assessment of
the security controls.
32
The authorizing official consults with the Office of the Inspector General, the senior information security officer, and
the chief information officer to discuss the implications of any decisions on assessor independence in the types of
special circumstances described above.
CHAPTER 3
PAGE 15
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
3.2 DEVELOPING SECURITY ASSESSMENT PLANS
The security assessment plan provides the objectives for the security control assessment and a
detailed roadmap of how to conduct such an assessment. The following steps are considered by
assessors in developing plans to assess the security controls in organizational information systems
or inherited by those systems:
•
Determine which security controls/control enhancements are to be included in the assessment
based upon the contents of the security plan and the purpose/scope of the assessment;
•
Select the appropriate assessment procedures to be used during the assessment based on the
security controls and control enhancements that are to be included in the assessment;
•
Tailor the selected assessment procedures (e.g., select appropriate assessment methods and
objects, assign depth and coverage attribute values);
•
Develop additional assessment procedures to address any security requirements or controls
that are not sufficiently covered by Special Publication 800-53;
•
Optimize the assessment procedures to reduce duplication of effort (e.g., sequencing and
consolidating assessment procedures) and provide cost-effective assessment solutions; and
•
Finalize the assessment plan and obtain the necessary approvals to execute the plan.
3.2.1 Determine which security controls are to be assessed.
The security plan provides an overview of the security requirements for the information system
and describes the security controls in place or planned for meeting those requirements. The
assessor starts with the security controls described in the security plan and considers the purpose
of the assessment. A security control assessment can be a complete assessment of all security
controls in the information system or inherited by the system (e.g., during an initial security
authorization process) or a partial assessment of the security controls in the information system
or inherited by the system (e.g., during system development, during continuous monitoring where
controls are assessed on an ongoing basis and as a result of changes affecting the controls, or
where controls were previously assessed and the results accepted in the reciprocity process).33
For partial assessments, information system owners and common control providers collaborate
with organizational officials having an interest in the assessment (e.g., senior information security
officers, mission/information owners, Inspectors General, and authorizing officials) to determine
which security controls are to be assessed. The selection of the security controls depends on the
continuous monitoring strategy established by the information system owner or common control
provider to ensure that: (i) all controls are assessed during the authorization period established by
federal legislation, policies, directives, standards, and guidelines; (ii) items on the plan of action
and milestones receive adequate oversight; (iii) controls with greater volatility or importance to
the organization are assessed more frequently; and (iv) control implementations that have
changed since the last assessment are reevaluated.34
33
Partial assessments of security controls can be conducted in the initial phases of system development life cycle to
promote early detection of weakness and deficiencies and a more cost-effective approach to risk mitigation.
34
Special Publication 800-37 provides guidance on continuous monitoring as part of the risk management process.
CHAPTER 3
PAGE 16
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
3.2.2 Select appropriate procedures to assess the security controls.
Special Publication 800-53A, Appendix F, provides an assessment procedure for each security
control and control enhancement in Special Publication 800-53. For each security control and
control enhancement in the security plan to be included in the assessment, assessors select the
corresponding assessment procedure from Appendix F. The selected assessment procedures vary
from assessment to assessment based on the current content of the security plan and the purpose
of the security assessment (e.g., complete security control assessment, partial security control
assessment).
3.2.3 Tailor assessment procedures.
In a similar manner to how the security controls from Special Publication 800-53 are tailored for
the organization’s mission, business functions, characteristics of the information system and
operating environment, organizations tailor the assessment procedures listed in Appendix F to
meet specific organizational needs. Organizations have the flexibility to perform the tailoring
process at the organization level for all information systems, at the individual information system
level, or using a combination of organization-level and system-specific approaches. Security
control assessors determine if the organization provides additional tailoring guidance prior to
initiating the tailoring process. Assessment procedures are tailored by:
•
Selecting the appropriate assessment methods and objects needed to satisfy the stated
assessment objectives;
•
Selecting the appropriate depth and coverage attribute values to define the rigor and scope of
the assessment;
•
Identifying common controls that have been assessed by a separately-documented security
assessment plan, and do not require the repeated execution of the assessment procedures;
•
Developing information system/platform-specific and organization-specific assessment
procedures (which may be adaptations to those procedures in Appendix F);
•
Incorporating assessment results from previous assessments where the results are deemed
applicable; and
•
Making appropriate adjustments in assessment procedures to be able to obtain the requisite
assessment evidence from external providers.
Assessment method and object-related considerations—
It is recognized that organizations can specify, document, and configure their information systems
in a variety of ways and that the content and applicability of existing assessment evidence will
vary. This may result in the need to apply a variety of assessment methods to various assessment
objects to generate the assessment evidence needed to determine whether the security controls are
effective in their application. Therefore, the assessment methods and objects provided with each
assessment procedure are termed potential to reflect the need to be able to choose the methods
and objects most appropriate for a specific assessment. The assessment methods and objects
chosen are those deemed as necessary to produce the evidence needed to make the determinations
described in the determination statements. The potential methods and objects in the assessment
procedure are provided as a resource to assist in the selection of appropriate methods and objects,
and not with the intent to limit the selection. Organizations use their judgment in selecting from
the potential assessment methods and the list of assessment objects associated with each selected
method. Organizations select those methods and objects that most cost-effectively contribute to
CHAPTER 3
PAGE 17
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
making the determinations associated with the assessment objective.35 The measure of the quality
of assessment results is based on the soundness of the rationale provided, not the specific set of
methods and objects applied. It will not be necessary, in most cases, to apply every assessment
method to every assessment object to obtain the desired assessment results. And for certain
assessments, it may be appropriate to employ a method not currently listed in the set of potential
methods.
Depth and coverage-related considerations—
In addition to selecting appropriate assessment methods and objects, each assessment method
(i.e., examine, interview, and test) is associated with depth and coverage attributes that are
described in Appendix D. The attribute values identify the rigor and scope of the assessment
procedures executed by the assessor. The values selected by the organization are based on the
characteristics of the information system being assessed (including assurance requirements) and
the specific determinations to be made. The depth and coverage attribute values are associated
with the assurance requirements specified by the organization (i.e., the rigor and scope of the
assessment increases in direct relationship to the assurance requirements).
Common control-related considerations—
Assessors note which security controls (or parts of security controls) in the security plan are
designated as common controls.36 Since the assessment of common controls is the responsibility
of the organizational entity that developed and implemented the controls (i.e., common control
provider), the assessment procedures in Appendix F used to assess these controls incorporate
assessment results from that organizational entity. Common controls may have been previously
assessed as part of the organization’s information security program or as part of an information
system providing common con...
Purchase answer to see full
attachment