Read the
Wk 1 Case Study
.
Based on your reading in
NIST SP-800-53A
(from CYB/120), write a 2- to 3-page analysis of the case study in which you examine the security controls that were compromised. Complete the following in your analysis:
Identify who in the company is responsible for physical security.
Determine what security controls were not in place that could have potentially prevented this compromise.
Compile a list of future security controls that will need to be put in place to prevent other attacks.
Describe the role that security awareness and training has with respect to improving physical security within the company.
Assignment checklist:
Title Page
The total paper must be 700-1050 words (about 2-3 pages but I will be looking at word count)
If a template is provided, you must use the template.
Use the bullets or key points in the instructions and create corresponding heading and sub headers. This way it will be obvious that you hit the key points
Include at least one references that are properly cited
Any images must have a caption and referenced in the paper.
Combine the screenshots and the remainder of the assignment into
one APA formatted document
. If you submit the assignment in multiple parts you will lose points
Follow APA format (fonts, etc) – For details on the formatting see the UOP library tab.
CYB/140 v2
Case Study: Stolen Equipment
Betty, the regional sales manager of a mid-sized home security system manufacturer and installer,
discovered that 2 laptops and 2 tablets, worth about $8,000 in total, had been stolen. Upon investigation,
2 members of her sales team had left their offices unlocked when they attended a luncheon that went well
into the afternoon. When her employees returned, they discovered that the equipment was missing,
apparently taken by an individual or individuals, who walked into the unlocked offices, picked up the
equipment, and left unnoticed by the other employees in adjoining offices.
Since the employees stored business data on the local hard drives of their laptops, the sales team lost
approximately 2 years of emails and sales logs as well as customer contact lists and detailed product
specifications files.
Business impact:
•
•
•
The laptops were not encrypted.
One laptop had a password taped to the back of the laptop, allowing the thief to log into it and
exposing the unencrypted data on the device.
The monetary loss was significant in which the company could not submit an insurance claim
because the sales offices were not locked.
The company lost sensitive and proprietary data due to it being stored on the local hard drives of the
laptops. The impact of data loss is estimated to be $75,800 in value.
Copyright 2020 by University of Phoenix. All rights reserved.
NIST Special Publication 800-53A
Revision 4
Assessing Security and Privacy
Controls in Federal Information
Systems and Organizations
Building Effective Assessment Plans
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53Ar4
NIST Special Publication 800-53A
Revision 4
Assessing Security and Privacy
Controls in Federal Information
Systems and Organizations
Building Effective Assessment Plans
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53Ar4
December 2014
INCLUDES UPDATES AS OF 12-18-2014
U.S. Department of Commerce
Penny Pritzker, Secretary
National Institute of Standards and Technology
Willie May, Acting Under Secretary of Commerce for Standards and Technology and Acting Director
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-53A, Revision 4
487 pages (December 2014)
CODEN: NSPUE2
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53Ar4
Certain commercial entities, equipment, or materials may be identified in this document in order
to describe an experimental procedure or concept adequately. Such identification is not intended
to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities,
materials, or equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by
NIST in accordance with its assigned statutory responsibilities. The information in this publication,
including concepts, practices, and methodologies, may be used by federal agencies even before
the completion of such companion publications. Thus, until each publication is completed, current
requirements, guidelines, and procedures, where they exist, remain operative. For planning and
transition purposes, federal agencies may wish to closely follow the development of these new
publications by NIST.
Organizations are encouraged to review draft publications during the designated public comment
periods and provide feedback to NIST. Computer Security Division publications are available at
http://csrc.nist.gov/publications.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic Mail: sec-cert@nist.gov
PAGE ii
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
Abstract
This publication provides a set of procedures for conducting assessments of security controls and
privacy controls employed within federal information systems and organizations. The assessment
procedures, executed at various phases of the system development life cycle, are consistent with
the security and privacy controls in NIST Special Publication 800-53, Revision 4. The procedures
are customizable and can be easily tailored to provide organizations with the needed flexibility to
conduct security control assessments and privacy control assessments that support organizational
risk management processes and that are aligned with the stated risk tolerance of the organization.
Information on building effective security assessment plans and privacy assessment plans is also
provided along with guidance on analyzing assessment results.
Keywords
Assessment; assurance; E-Government Act; FISMA; Privacy Act; privacy controls; privacy
requirements; Risk Management Framework; security controls; security requirements.
PAGE iii
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
Acknowledgements
This publication was developed by the Joint Task Force Transformation Initiative Working
Group with representatives from the Civilian, Defense, and Intelligence Communities to produce
a unified information security framework for the federal government. We wish to acknowledge
and thank the senior leaders from the Departments of Commerce and Defense, the Office of the
Director of National Intelligence, the Committee on National Security Systems, and the members
of the interagency technical working group whose dedicated efforts contributed significantly to
the publication. The senior leaders, interagency working group members, and their organizational
affiliations include:
U.S. Department of Defense
Office of the Director of National Intelligence
Terry Halvorsen
Adolpho Tarasiuk Jr.
DOD Chief Information Officer (Acting)
Intelligence Community Chief Information Officer
David De Vries
Alan Royal
Principal Deputy DOD Chief Information Officer (Acting)
IC Deputy Chief Information Officer
Richard Hale
Susan Dorr
Deputy Chief Information Officer for Cybersecurity
Director, Information Assurance and IC
Chief Information Security Officer
Dominic Cussatt
Robert Drake
Director, Cybersecurity Strategy and Policy
Acting Chief, Risk Management and Compliance
Services
National Institute of Standards and Technology
Committee on National Security Systems
Charles H. Romine
Terry Halvorsen
Director, Information Technology Laboratory
Chair, CNSS
Donna Dodson
Sherrill Nicely
Cyber Security Advisor, Information Technology Laboratory
CNSS Co-Chair
Matthew Scholl
Dominic Cussatt, Jeffrey Wilk, Daniel Dister
Chief, Computer Security Division
CNSS Subcommittee Tri-Chairs
Ron Ross
FISMA Implementation Project and Joint Task Force Leader
Joint Task Force Transformation Initiative Interagency Working Group
Ron Ross
NIST
Karen Quigg
The MITRE Corporation
Kelley Dempsey
NIST
Patricia Toth
NIST
Esten Porter
The MITRE Corporation
Christian Enloe
NIST
Bennett Hodge
Booz Allen Hamilton
Kevin Stine
NIST
We wish to express our sincere appreciation to Elizabeth Lennon and Peggy Himes for their
superb technical editing and administrative support as well to Harold Booth for developing the
XML schema and for his help in correcting many difficult-to-find formatting errors. The authors
also wish to recognize the following individuals for their significant contributions in helping to
develop the initial content of this publication and refine its content during subsequent revisions:
Claire Barrett; Lindy Burkhart; Jonathan Cantor; Mitali Chatterjee; Jonathan Chiu; Sharon
Ehlers; Jennifer Fabius; Peter Gouldmann; James Govekar; Terrance Hazelwood; Austin
Hershey; Laurie Hestor; Arnold Johnson; Mary Kitson; Martha Landesberg; Naomi Lefkovitz;
Jason Mackanick; Timothy Potter; Jennifer Puma; Roanne Shaddox; Terry Sherald; Gary
Stoneburner; Julie Trei; Gail Tryon; Ricki Vanetesse; Cynthia Whitmer; and Peter Williams.
Finally, the authors gratefully acknowledge and appreciate the significant contributions from
individuals and organizations in the public and private sectors, whose thoughtful and constructive
comments improved the overall quality and usefulness of this publication.
PAGE iv
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
ASSESSMENT PROCEDURES FOR PRIVACY CONTROLS
Appendix J, Privacy Assessment Procedures, is a new addition to NIST Special Publication 80053A. The appendix, when completed, will provide a complete set of assessment procedures for
the privacy controls in NIST Special Publication 800-53, Appendix J. The new privacy control
assessment procedures are under development and will be added to the appendix after a
thorough public review and vetting process. The terminology throughout this publication has
been updated to include references to privacy in all aspects of the assessment process to
include mirroring the artifacts that are essential inputs to the current security authorization
process. Each organization employing these guidelines has the flexibility to address the privacy
assessment process and the integration of privacy-related artifacts into the organization’s risk
management processes in the manner that best supports the organizational missions and
business objectives consist with Office of Management and Budget policies.
Standardized assessment procedures for privacy controls provide a more disciplined and
structured approach for determining compliance to federal privacy requirements and also
promote more cost-effective methods to determine such compliance. There will be a strong
similarity in the structure of the assessment procedures for privacy controls in Appendix J and
the assessment procedures for security controls in Appendix F. This similarity will promote
closer cooperation between privacy and security officials within the federal government to
help achieve the objectives of senior leaders/executives in enforcing the requirements in
federal privacy legislation, directives, policies, regulations, standards, and guidance.
Finally, it should be noted that as the assessment procedures for privacy controls are added to
Appendix J, certain terminology traditionally associated with security controls and security
control assessments contained in earlier versions of this publication is being modified where
appropriate, to include references to privacy. However, there are some security-related terms
(e.g., security categorization, security control baseline, tailored security control baseline) that
are unique to security controls and do not have direct analogs in the privacy arena. In such
cases, the equivalent privacy-related terminology has not been added to the publication.
Privacy officials, at their discretion, may choose to adopt any or all of the security-related
terms in this publication in support of privacy control assessments.
PAGE v
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
ASSESSMENT PROCEDURE FORMATTING
A new format for assessment procedures is introduced in this revision to Special Publication
800-53A. The format reflects the decomposition of assessment objectives into more granular
determination statements wherever possibleâ€â€thus providing the capability to identify and
assess specific parts of security and privacy controls. The changes have been initiated to: (i)
help improve the readability of assessment procedures; (ii) provide a better format and
structure for automated tools when assessment information is imported into such tools; (iii)
provide greater flexibility in conducting assessments by giving organizations the capability to
target certain aspects of security controls and privacy controls (highlighting the particular
weaknesses and/or deficiencies in controls); (iv) improve the efficiency of security and privacy
assessments; and (v) support continuous monitoring and ongoing authorization programs by
providing a greater number of component parts of security and privacy controls that can be
assessed at organization-defined frequencies and degrees of rigor. Having the ability to apply
assessment and monitoring resources in a targeted and precise manner and simultaneously
maximize the use of automation technologies, can result in more timely and cost-effective
assessment processes for organizations.
Note: Special Publication 800-53 will be updated accordingly to ensure that the numbering
scheme for all security and privacy controls is consistent with the new format introduced in
this publication.
PAGE vi
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
ALIGNING REVISION NUMBERS
WHAT HAPPENED TO SPECIAL PUBLICATION 800-53A REVISIONS 2 AND 3?
Revision numbers between NIST Special Publications 800-53 and 800-53A were misaligned
from the start because the initial publication of SP 800-53A did not occur until after the
publication of SP 800-53, Revision 2. When SP 800-53, Revision 3 was published, SP 800-53A
was updated to Revision 1 for consistency with the updates to SP 800-53. This revision number
mismatch created ongoing uncertainty and confusion regarding which revision of SP 800-53
was consistent with which revision of SP 800-53A. To reduce this uncertainty going forward,
revision numbers 2 and 3 have been skipped for SP 800-53A, and this version of SP 800-53A
has been given revision number 4 since this version is consistent with the updates to SP 80053, Revision 4. Future revisions of SPs 800-53 and 800-53A will maintain the revision number
consistency.
PAGE vii
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
DEVELOPING COMMON INFORMATION SECURITY FOUNDATIONS
COLLABORATION AMONG PUBLIC AND PRIVATE SECTOR ENTITIES
In developing standards and guidelines required by FISMA, NIST consults with other federal
agencies and offices as well as the private sector entities to improve information security,
avoid unnecessary and costly duplication of effort, and ensure that NIST publications are
complementary with the standards and guidelines employed for the protection of national
security systems. In addition to its comprehensive public review and vetting process, NIST is
collaborating with the Office of the Director of National Intelligence (ODNI), the Department of
Defense (DoD), and the Committee on National Security Systems (CNSS) to establish a unified
framework and common foundation for information security across the federal government. A
common foundation and framework for information security will provide the Intelligence,
Defense, and Civilian sectors of the federal government and their contractors, more uniform
and consistent ways to manage the risk to organizational operations and assets, individuals,
other organizations, and the Nation that results from the operation and use of information
systems. A common foundation and framework will also provide a strong basis for reciprocal
acceptance of security authorization decisions and facilitate information sharing. NIST is also
working with public and private sector entities to establish specific mappings and relationships
between the security standards and guidelines developed by NIST and the International
Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
PAGE viii
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
Table of Contents
CHAPTER ONE INTRODUCTION ……………………………………………………………………………… 1
1.1
1.2
1.3
1.4
PURPOSE AND APPLICABILITY ……………………………………………………………………………………..
TARGET AUDIENCE……………………………………………………………………………………………………
RELATED PUBLICATIONS AND ASSESSMENT PROCESSES …………………………………………………..
ORGANIZATION OF THIS SPECIAL PUBLICATION………………………………………………………………..
1
4
4
5
CHAPTER TWO THE FUNDAMENTALS ………………………………………………………………………. 6
2.1
2.2
2.3
2.4
ASSESSMENTS WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE ………………………………………….
STRATEGY FOR CONDUCTING CONTROL ASSESSMENTS…………………………………………………….
BUILDING AN EFFECTIVE ASSURANCE CASE ……………………………………………………………………
ASSESSMENT PROCEDURES ……………………………………………………………………………………….
6
7
8
9
CHAPTER THREE THE PROCESS ………………………………………………………………………….. 14
3.1
3.2
3.3
3.4
3.5
PREPARING FOR SECURITY AND PRIVACY CONTROL ASSESSMENTS ……………………………………
DEVELOPING SECURITY AND PRIVACY ASSESSMENT PLANS ……………………………………………..
CONDUCTING SECURITY AND PRIVACY CONTROL ASSESSMENTS ……………………………………….
ANALYZING ASSESSMENT REPORT RESULTS …………………………………………………………………
ASSESSING SECURITY AND PRIVACY CAPABILITIES …………………………………………………………
14
17
23
25
26
APPENDIX A REFERENCES ……………………………………………………………………………….. A-1
APPENDIX B GLOSSARY …………………………………………………………………………………… B-1
APPENDIX C ACRONYMS ………………………………………………………………………………….. C-1
APPENDIX D ASSESSMENT METHOD DESCRIPTIONS ……………………………………………….. D-1
APPENDIX E PENETRATION TESTING …………………………………………………………………… E-1
APPENDIX F SECURITY ASSESSMENT PROCEDURES ……………………………………………….. F-1
APPENDIX G ASSESSMENT REPORTS…………………………………………………………………… G-1
APPENDIX H ASSESSMENT CASES ………………………………………………………………………. H-1
APPENDIX I
ONGOING ASSESSMENT AND AUTOMATION ……………………………………………..I-1
APPENDIX J PRIVACY ASSESSMENT PROCEDURES ………………………………………………….. J-1
PAGE ix
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
Prologue
“…Through the process of risk management, leaders must consider risk to U.S. interests from
adversaries using cyberspace to their advantage and from our own efforts to employ the global
nature of cyberspace to achieve objectives in military, intelligence, and business operations… “
“…For operational plans development, the combination of threats, vulnerabilities, and impacts
must be evaluated in order to identify important trends and decide where effort should be applied
to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess,
coordinate, and deconflict all cyberspace operations…â€Â
“…Leaders at all levels are accountable for ensuring readiness and security to the same degree
as in any other domain…”
— THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS
OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE
PAGE x
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
Foreword
Security control assessments and privacy control assessments are not about checklists, simple
pass-fail results, or generating paperwork to pass inspections or auditsâ€â€rather, such assessments
are the principal vehicle used to verify that implemented security controls and privacy controls
are meeting their stated goals and objectives. Special Publication 800-53A, Assessing Security
and Privacy Controls in Federal Information Systems and Organizations, is written to facilitate
security control assessments and privacy control assessments conducted within an effective risk
management framework. The control assessment results provide organizational officials with:
•
Evidence about the effectiveness of implemented controls;
•
An indication of the quality of the risk management processes employed within the
organization; and
•
Information about the strengths and weaknesses of information systems which are supporting
organizational missions and business functions in a global environment of sophisticated and
changing threats.
The findings produced by assessors are used to determine the overall effectiveness of security and
privacy controls associated with information systems (including system-specific, common, and
hybrid controls) and their environments of operation and to provide credible and meaningful
inputs to the organization’s risk management process. A well-executed assessment helps to: (i)
determine the validity of the controls contained in the organization’s security plans and privacy
plans and subsequently employed in organizational information systems and environments of
operation; and (ii) facilitate a cost-effective approach to correcting weaknesses or deficiencies in
systems in an orderly and disciplined manner consistent with organizational mission/business
needs.
Special Publication 800-53A is a companion guideline to Special Publication 800-53, Security
and Privacy Controls for Federal Information Systems and Organizations. Each publication
provides guidance for implementing specific steps in the Risk Management Framework (RMF). 1
Special Publication 800-53 covers Step 2 in the RMF, security and privacy control selection (i.e.,
determining what controls are needed to manage risks to organizational operations and assets,
individuals, other organizations, and the Nation). Special Publication 800-53A covers RMF Step
4, Assess, and RMF Step 6, Monitor, and provides guidance on the security assessment and
privacy assessment processes. This guidance includes how to build effective assessment plans
and how to analyze and manage assessment results.
Special Publication 800-53A allows organizations to tailor the basic assessment procedures
provided. The concepts of tailoring used in this document are similar to the concepts described in
Special Publication 800-53. Tailoring involves customizing the assessment procedures to more
closely match the characteristics of the information system and its environment of operation. The
tailoring process gives organizations the flexibility needed to avoid assessment approaches that
are unnecessarily complex or costly while simultaneously meeting the assessment requirements
established by applying the fundamental concepts in the RMF. Tailoring can also include adding
assessment procedures or assessment details to adequately meet the risk management needs of the
organization (e.g., adding system/platform-specific information for selected controls). Tailoring
decisions are left to the discretion of the organization in order to maximize the flexibility in
1
Special Publication 800-37 provides guidance on applying the RMF to federal information systems.
PAGE xi
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
developing assessment plansâ€â€applying the results of risk assessments to determine the extent,
rigor, and level of intensity of the assessments. While flexibility continues to be an important
factor in developing security assessment plans and privacy assessment plans, consistency of
assessments is also an important consideration. A major design objective for Special Publication
800-53A is to provide an assessment framework and initial starting point for assessment
procedures that are essential for achieving such consistency.
NIST initiated the Security Content Automation Protocol (SCAP) 2 project that supports the
approach for achieving consistent, cost-effective security control assessments. The primary
purpose of SCAP is to standardize the format and nomenclature used for communicating
information about configurations and security flaws. This standardization enables automated
system configuration assessment, vulnerability assessment, patch checking, as well as report
aggregation and interoperability between SCAP-enabled security products. As a result, SCAP
enables organizations to identify and reduce vulnerabilities associated with products that are not
patched or insecurely configured. SCAP also includes the Open Checklist Interactive Language
(OCIL) 3 specification that provides the capability to express the determination statements in the
assessment procedures in Appendix F in a framework that will establish interoperability with the
SCAP-enabled tools. Privacy control assessments are discussed separately in Appendix J to this
publication.
2
Special Publication 800-126 provides guidance on the technical specification of SCAP. Additional details on the
SCAP initiative, as well as freely available SCAP reference data, can be found at http://nvd.nist.gov.
3
OCIL is a framework for expressing security checks that cannot be evaluated without some human interaction or
feedback. It is used to determine the state of a system by presenting one or more questionnaires to its intended users.
The language includes constructs for questions, instructions for guiding users towards an answer, responses to
questions, artifacts, and evaluation results.
PAGE xii
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
Errata
The following changes have been incorporated into Special Publication 800-53A, Revision 4.
Errata updates include corrections, clarifications, or other minor changes in the publication that
are either editorial or substantive in nature.
DATE
TYPE
CHANGE
PAGE
12-18-2014
Editorial
Changed “AT-4(b)[2][a]†to “AT-4(a)[2][a].â€Â
F-60
12-18-2014
Editorial
Changed “AT-4(b)[2][b]†to “AT-4(a)[2][b].â€Â
F-60
12-18-2014
Editorial
Changed “PL-8(c)[2]†to “PL-8(c)[3].â€Â
F-241
12-18-2014
Editorial
Changed “SA-1(a)(2)[1]†to “SA-1(b)(2)[1].â€Â
F-269
12-18-2014
Editorial
Changed “SI-1(b)(2)[1]†to “SI-1(b)(2)[2].â€Â
F-369
PAGE xiii
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
CHAPTER ONE
INTRODUCTION
THE NEED TO ASSESS SECURITY AND PRIVACY CONTROL EFFECTIVENESS
T
oday’s information systems 4 are complex assemblages of technology (i.e., hardware,
software, and firmware), processes, and people, working together to provide organizations
with the capability to process, store, and transmit information in a timely manner to
support various missions and business functions. The degree to which organizations have come to
depend upon these information systems to conduct routine, important, and critical missions and
business functions means that the protection of the underlying systems and environments of
operation is paramount to the success of the organization. The selection of appropriate security
and privacy controls for an information system is an important task that can have significant
implications on the operations and assets of an organization as well as the welfare of individuals. 5
Security and privacy controls are the safeguards or countermeasures prescribed for an information
system or an organization designed to protect the confidentiality, integrity, and availability of its
information.
Once employed within an information system, security and privacy controls are assessed to
provide the information necessary to determine their overall effectiveness, that is, the extent to
which the controls are implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting the security and privacy requirements for the system and the
organization. Understanding the overall effectiveness of implemented security and privacy
controls is essential in determining the risk to the organization’s operations and assets, to
individuals, to other organizations, and to the Nation resulting from the use of the system.
1.1 PURPOSE AND APPLICABILITY
The purpose of this publication is to provide: (i) guidelines for building effective security
assessment plans and privacy assessment plans; and (ii) a comprehensive set of procedures for
assessing the effectiveness of security controls and privacy controls employed in information
systems and organizations supporting the executive agencies of the federal government. The
guidelines apply to the security and privacy controls defined in Special Publication 800-53 (as
amended), Security and Privacy Controls for Federal Information Systems and Organizations.
The guidelines have been developed to help achieve more secure information systems within the
federal government by:
•
Enabling more consistent, comparable, and repeatable assessments of security controls and
privacy controls with reproducible results;
•
Promoting a better understanding of the risks to organizational operations, organizational
assets, individuals, other organizations, and the Nation resulting from the operation and use
of federal information systems;
4
An information system is a discrete set of information resources organized expressly for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of information.
5
When selecting security controls and privacy controls for an information system, the organization also considers
potential impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland
Security Presidential Directives, potential national-level impacts.
CHAPTER 1
PAGE 1
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
•
Facilitating more cost-effective assessments of security controls and privacy controls
contributing to the determination of overall control effectiveness; and
•
Creating more complete, reliable, and trustworthy information for organizational officials to
support risk management decisions, reciprocity of assessment results, information sharing,
and compliance to federal laws, Executive Orders, directives, regulations, and policies.
This publication satisfies the requirements of the Federal Information Security Management Act
(FISMA) and meets or exceeds the information security and privacy requirements established for
executive agencies 6 by the Office of Management and Budget (OMB) in Circular A-130,
Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals, and
Appendix III, Security of Federal Automated Information Resources. The security guidelines in
this publication are applicable to federal information systems other than those systems designated
as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been
broadly developed from a technical perspective to complement similar guidelines for national
security systems and may be used for such systems with the approval of appropriate federal
officials exercising policy authority over such systems. The guidelines in Appendix J may have
broader applicability, depending upon organizational authorities and missions. State, local, and
tribal governments, as well as private sector organizations are encouraged to consider using these
guidelines, as appropriate. 7
Organizations use this publication in conjunction with approved security plans and privacy plans
in developing viable assessment plans for producing and compiling the information necessary to
determine the effectiveness of the security and privacy controls employed in the information
system and organization. This publication has been developed with the intention of enabling
organizations to tailor the basic assessment procedures provided. The assessment procedures are
used as a starting point for and as input to the assessment plan. In developing effective security
assessment plans and privacy assessment plans, organizations take into consideration existing
information about the controls to be assessed (e.g., results from organizational assessments of
risk, platform-specific dependencies in the hardware, software, or firmware, and any assessment
procedures needed as a result of organization-specific controls not included in Special Publication
800-53). 8
The selection of appropriate assessment procedures and the rigor, intensity, and scope of the
assessment depend on three factors:
6
An executive agency is: (i) an executive department specified in 5 U.S.C., Section 101; (ii) a military department
specified in 5 U.S.C., Section 102; (iii) an independent establishment as defined in 5 U.S.C., Section 104(1); and (iv) a
wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91. In this publication, the
term executive agency is synonymous with the term federal agency.
7
In accordance with the provisions of FISMA and OMB policy, whenever the interconnection of federal information
systems to information systems operated by state/local/tribal governments, contractors, or grantees involves the
processing, storage, or transmission of federal information, the information security standards and guidelines described
in this publication apply. Specific information security requirements and the terms and conditions of the system
interconnections, are expressed in the Memoranda of Understanding and Interconnection Security Agreements
established by participating organizations.
8
For example, detailed test scripts may need to be developed for the specific operating system, network component,
middleware, or application employed within the information system to adequately assess certain characteristics of a
particular security or privacy control. Such test scripts are at a lower level of detail than provided by the assessment
procedures contained in Appendices F and J and are therefore beyond the scope of this publication. Additional details
for assessments are provided in the supporting assessment cases described in Appendix H.
CHAPTER 1
PAGE 2
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
•
The security categorization of the information system; 9
•
The assurance requirements that the organization intends to meet in determining the overall
effectiveness of the security and privacy controls; and
•
The security and privacy controls from Special Publication 800-53 as identified in the
approved security plans and privacy plans. 10
The assessment process is an information-gathering activity, not a security- or privacy-producing
activity. Organizations determine the most cost-effective implementation of this key element in
the organization’s information security and privacy programs by applying the results of risk
assessments, considering the maturity and quality level of the organization’s risk management
processes, and taking advantage of the flexibility in the concepts described in this publication.
The use of Special Publication 800-53A as a starting point in the process of defining procedures
for assessing the security and privacy controls in information systems and organizations,
promotes a consistent level of security and privacy and offers the needed flexibility to customize
the assessment based on organizational policies and requirements, known threat and vulnerability
information, operational considerations, information system and platform dependencies, and
tolerance for risk. 11 The information produced during control assessments can be used by an
organization to:
•
Identify potential problems or shortfalls in the organization’s implementation of the Risk
Management Framework;
•
Identify security- and privacy-related weaknesses and deficiencies in the information system
and in the environment in which the system operates;
•
Prioritize risk mitigation decisions and associated risk mitigation activities;
•
Confirm that identified security- and privacy-related weaknesses and deficiencies in the
information system and in the environment of operation have been addressed;
•
Support monitoring activities and information security and privacy situational awareness;
•
Facilitate security authorization decisions, privacy authorization decisions, and ongoing
authorization decisions; and
•
Inform budgetary decisions and the capital investment process.
Organizations are not expected to employ all of the assessment methods and assessment objects
contained within the assessment procedures identified in this publication for the associated
security and privacy controls deployed within or inherited by organizational information systems.
Rather, organizations have the inherent flexibility to determine the level of effort needed and the
assurance required for a particular assessment (e.g., which assessment methods and assessment
objects are deemed to be the most useful in obtaining the desired results). This determination is
9
For national security systems, security categorization is accomplished in accordance with CNSS Instruction 1253.
For other than national security systems, security categorization is accomplished in accordance with Federal
Information Processing Standard (FIPS) 199 and NIST Special Publication 800-60.
10
The security and privacy controls for the information system and organization are documented in the security plans
and privacy plans after the initial selection and tailoring of the controls as described in NIST Special Publication 80053 and CNSS Instruction 1253.
11
In this publication, the term risk is used to mean risk to organizational operations (i.e., mission, functions, image, and
reputation), organizational assets, individuals, other organizations, and the Nation.
CHAPTER 1
PAGE 3
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
made on the basis of what will accomplish the assessment objectives in the most cost-effective
manner and with sufficient confidence to support the subsequent determination of the resulting
mission or business risk. Organizations should balance the resources expended on the deployment
of security and privacy controls (i.e., safeguards and countermeasures implemented for security
and privacy protection) versus the resources expended to determine overall control effectiveness,
both initially and on an ongoing basis through continuous monitoring programs.
1.2 TARGET AUDIENCE
This publication is intended to serve a diverse group of information system, information security,
and privacy professionals including:
•
Individuals with information system development responsibilities (e.g., program managers,
system designers and developers, systems integrators, information security engineers);
•
Individuals with information security assessment and monitoring responsibilities (e.g.,
Inspectors General, system evaluators, assessors, independent verifiers/validators, auditors,
analysts, information system owners, common control providers);
•
Individuals with information system, security, privacy, and risk management and oversight
responsibilities (e.g., authorizing officials, chief information officers, senior information
security officers,12 senior agency officials for privacy/chief privacy officers, information
system managers, information security managers); and
•
Individuals with information security implementation and operational responsibilities (e.g.,
information system owners, common control providers, information owners/stewards,
mission/business owners, systems administrators, information system security officers).
1.3 RELATED PUBLICATIONS AND ASSESSMENT PROCESSES
Special Publication 800-53A is designed to support Special Publication 800-37, Guide for
Applying the Risk Management Framework to Federal Information Systems: A Security Life
Cycle Approach. In particular, the assessment procedures contained in this publication and the
guidelines provided for developing security and privacy assessment plans for organizational
information systems directly support the assessment and monitoring activities that are integral to
the risk management process. This includes providing near real-time security- and privacy-related
information to organizational officials regarding the ongoing security and privacy state of their
systems and organizations.
Organizations are encouraged, whenever possible, to take advantage of the assessment results and
associated assessment documentation and evidence available on information system components
from previous assessments including independent third-party testing, evaluation, and validation. 13
Product testing, evaluation, and validation may be conducted on cryptographic modules and
general-purpose information technology products such as operating systems, database systems,
firewalls, intrusion detection devices, Web browsers, Web applications, smart cards, biometrics
12
At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may
also refer to this position as the Senior Information Security Officer or the Chief Information Security Officer.
13
Assessment results can be obtained from many activities that occur routinely during the system development life
cycle. For example, assessment results are produced during the testing and evaluation of new information system
components during system upgrades or system integration activities. Organizations can take advantage of previous
assessment results whenever possible, to reduce the overall cost of assessments and to make the assessment process
more efficient.
CHAPTER 1
PAGE 4
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
devices, personal identity verification devices, network devices, and hardware platforms using
national and international standards. If an information system component product is identified as
providing support for the implementation of a particular security or privacy control in Special
Publication 800-53, then evidence produced during the product testing, evaluation, and validation
processes (e.g., security specifications, analyses and test results, validation reports, and validation
certificates) 14 is used to the extent that it is applicable. This evidence can be combined with the
assessment-related evidence obtained from the application of the assessment procedures in this
publication, to cost-effectively produce the information necessary to determine whether the
security and privacy controls are effective in their application.
1.4 ORGANIZATION OF THIS SPECIAL PUBLICATION
The remainder of this special publication is organized as follows:
•
Chapter Two describes the fundamental concepts associated with security and privacy
control assessments including: (i) the integration of assessments into the system development
life cycle; (ii) the importance of an organization-wide strategy for conducting security and
privacy control assessments; (iii) the development of effective assurance cases to help
increase the grounds for confidence in the effectiveness of the security and privacy controls
being assessed; and (iv) the format and content of assessment procedures.
•
Chapter Three describes the process of assessing the security and privacy controls in
organizational information systems and their environments of operation including: (i) the
activities carried out by organizations and assessors to prepare for security and privacy
control assessments; (ii) the development of security assessment plans; (iii) the conduct of
security and privacy control assessments and the analysis, documentation, and reporting of
assessment results; and (iv) the post-assessment report analysis and follow-on activities
carried out by organizations.
•
Supporting appendices provide detailed assessment-related information including: (i)
general references; (ii) definitions and terms; (iii) acronyms; (iv) a description of assessment
methods; (v) penetration testing guidelines; (vi) a catalog of assessment procedures that can
be used to develop plans for assessing security controls; (vii) content of security assessment
reports; (viii) the definition, format, and use of assessment cases; (ix) automation support for
ongoing assessments; and (x) a catalog of assessment procedures that can be used to develop
plans for assessing privacy controls.
14
Organizations review the available information from component information technology products to determine: (i)
what security and privacy controls are implemented by the product; (ii) if those security and privacy controls meet the
intended control requirements of the information system under assessment; (iii) if the configuration of the product and
the environment in which the product operates are consistent with the environmental and product configuration stated
by the vendor and/or developer; and (iv) if the assurance requirements stated in the developer/vendor specification
satisfy the assurance requirements for assessing those controls. Meeting the above criteria provides a sound rationale
that the product is suitable and meets the intended security and privacy control requirements of the information system
under assessment.
CHAPTER 1
PAGE 5
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
CHAPTER TWO
THE FUNDAMENTALS
BASIC CONCEPTS ASSOCIATED WITH SECURITY AND PRIVACY CONTROL ASSESSMENTS
T
his chapter describes the basic concepts associated with assessing the security and privacy
controls in organizational information systems and the environments in which those
systems operate including: (i) the integration of assessments into the system development
life cycle; (ii) the importance of an organization-wide strategy for conducting assessments; (iii)
the development of effective assurance cases to help increase the grounds for confidence in the
effectiveness of security and privacy controls; and (iv) the format and content of assessment
procedures. While flexibility continues to be an important factor in developing assessment plans,
consistency of assessments is also an important consideration. A fundamental design objective for
Special Publication 800-53A is to provide an assessment framework and a starting point for
assessment procedures that are essential for achieving such consistency.
2.1 ASSESSMENTS WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE
Security and privacy assessments can be effectively carried out at various stages in the system
development life cycle 15 to increase the grounds for confidence that the security and privacy
controls employed within or inherited by an information system are effective in their application.
This publication provides a comprehensive set of assessment procedures to support security and
privacy assessment activities throughout the system development life cycle. For example, security
assessments are routinely conducted by system developers and system integrators during the
development/acquisition and implementation phases of the life cycle. Privacy assessments are
conducted by senior agency officials for privacy/privacy officers and privacy staff in these early
life cycle phases as well. This helps to ensure that the required security and privacy controls for
the system are properly designed and developed, correctly implemented, and consistent with the
established organizational information security architecture before the system enters the
operations and maintenance phase. Security assessments in the initial system development life
cycle phases include, for example, design and code reviews, application scanning, and regression
testing. Privacy assessments include reviews to ensure that applicable privacy laws and policies
are adhered to and that privacy protections are embedded in system design. Security-related and
privacy-related weaknesses and deficiencies identified early in the system development life cycle
can be resolved more quickly and in a much more cost-effective manner before proceeding to
subsequent phases in the life cycle. The objective is to identify the security and privacy controls
early in the life cycle to ensure that the system design and testing validate the implementation of
these controls. The assessment procedures described in Appendices F and J support assessments
carried out during the initial stages of the system development life cycle.
Security and privacy assessments are also conducted during the operations and maintenance
phase of the life cycle to ensure that security and privacy controls continue to be effective in the
operational environment and can protect against constantly evolving threats. Security assessments
are typically conducted by information system owners, common control providers, information
system security officers, independent assessors, auditors, and Inspectors General. Privacy
assessments are typically conducted by senior agency officials for privacy/privacy officers and
15
There are typically five phases in a generic system development life cycle: (i) initiation; (ii) development/acquisition;
(iii) implementation; (iv) operations and maintenance; and (v) disposition (disposal). Special Publication 800-64
provides guidance on security considerations in the system development life cycle.
CHAPTER 2
PAGE 6
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
privacy staff. For example, organizations assess all security controls and privacy controls
employed within and inherited by the information system during the initial security authorization.
Subsequent to the initial authorization, the organization assesses all implemented security
controls on an ongoing basis in accordance with its Information Security Continuous Monitoring
strategy. 16 Privacy controls are also assessed on an ongoing basis to ensure compliance with
applicable privacy laws and policies. The ongoing assessment and monitoring of security controls
and privacy controls use the assessment procedures defined in this publication. The frequency of
such assessments and monitoring is determined by the organization and/or information system
owner or common control provider and approved by the authorizing official. Finally, at the end of
the life cycle, security assessments are conducted to ensure that important organizational
information is purged from the information system prior to disposal. Privacy assessments are also
conducted to ensure adherence to organizational retention schedules.
2.2 STRATEGY FOR CONDUCTING CONTROL ASSESSMENTS
Organizations are encouraged to develop a broad-based, organization-wide strategy for
conducting security and privacy assessments, facilitating more cost-effective and consistent
assessments across the inventory of information systems. An organization-wide strategy begins
by applying the initial steps of the Risk Management Framework to all information systems
within the organization, with an organizational view of the security categorization process and the
security and privacy control selection process (including the identification of common controls).
Categorizing information systems as an organization-wide activity taking into consideration not
only the criticality and sensitivity of information but also the enterprise architecture and the
information security architecture helps to ensure that the individual systems are categorized based
on the mission and business objectives of the organization. 17 Maximizing the number of common
controls employed within an organization: (i) significantly reduces the cost of development,
implementation, and assessment of security and privacy controls; (ii) allows organizations to
centralize and automate control assessments and to amortize the cost of those assessments across
all information systems organization-wide; and (iii) increases the consistency of security and
privacy controls. An organization-wide approach to identifying common controls early in the
application of the RMF facilitates a more global strategy for assessing those controls and sharing
essential assessment results with information system owners and authorizing officials. The
sharing of assessment results among key organizational officials across information system
boundaries has many important benefits including:
•
Providing the capability to review assessment results for all information systems and to make
mission/business-related decisions on risk mitigation activities according to organizational
priorities, the security categorization of the information systems, and risk assessments;
•
Providing a more global view of systemic weaknesses and deficiencies occurring in
information systems across the organization and an opportunity to develop organization-wide
solutions to information security and privacy problems; and
•
Increasing the organization’s knowledge base regarding threats, vulnerabilities, and strategies
for more cost-effective solutions to common information security and privacy problems.
Organizations can also promote a more focused and cost-effective assessment process by: (i)
developing more specific assessment procedures that are tailored for their specific environments
16
Special Publications 800-37 and 800-137 provide guidance on the continuous monitoring of security controls.
17
Privacy controls are selected and implemented irrespective of the security categorization of the information system.
CHAPTER 2
PAGE 7
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
of operation and requirements (instead of relegating these tasks to each control assessor or
assessment team); and (ii) providing organization-wide tools, templates, and techniques to
support more consistent assessments throughout the organization. 18
The conduct of security control assessments is the primary responsibility of information system
owners and common control providers with oversight by their respective authorizing officials.
The conduct of privacy control assessments is the primary responsibility of senior agency
officials for privacy/chief privacy officers and privacy staff. There is also significant involvement
in the assessment process by other parties within the organization who have a vested interest in
the outcome of assessments. Other interested parties include, for example, mission/business
owners, information owners/stewards (when those roles are filled by someone other than the
information system owner), information security personnel, and designated privacy staff. It is
imperative that information system owners and common control providers coordinate with the
other parties in the organization having an interest in control assessments to help ensure that the
organization’s core missions and business functions are adequately addressed in the selection of
security and privacy controls to be assessed.
CAUTIONARY NOTE
Organizations should carefully consider the potential impacts of employing the assessment
procedures defined in this Special Publication when assessing the security and privacy controls
in operational systems. Certain assessment procedures, particularly those procedures that
directly impact the operation or function of the hardware, software, or firmware components
of an information system, may inadvertently affect the routine processing, transmission, or
storage of information supporting organizational missions or business functions. For example, a
critical information system component may be taken offline for assessment purposes or a
component may suffer a fault or failure during the assessment process. Organizations should
also take the necessary precautions to ensure that organizational missions and business
functions continue to be supported by information systems and that any potential impacts to
operational effectiveness resulting from assessment activities are considered in advance.
2.3 BUILDING AN EFFECTIVE ASSURANCE CASE
Building an effective assurance case 19 for security and privacy control effectiveness is a process
that involves: (i) compiling evidence from a variety of activities conducted during the system
development life cycle that the controls employed in the information system are implemented
correctly, operating as intended, and producing the desired outcome with respect to meeting the
security and privacy requirements of the system and the organization; and (ii) presenting this
18
Organizations may also provide security assessment plans including tailored assessment procedures to external
service providers that are operating information systems on behalf of those organizations. In addition, these plans can
recommend supporting templates, tools, and techniques and also be further tailored specific to the contract with the
service provider, helping to make assessments more consistent and to maximize reuse of assessment-related artifacts.
This reuse can improve security through uniformity and reduce/eliminate contracting ambiguity, resulting in reduced
costs and risk to the organization.
19
An assurance case is a body of evidence organized into an argument demonstrating that some claim about an
information system holds (i.e., is assured). An assurance case is needed when it is important to show that a system
exhibits some complex property such as safety, security, or reliability.
CHAPTER 2
PAGE 8
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
evidence in a manner that decision makers are able to use effectively in making risk-based
decisions about the operation or use of the system. The evidence described above comes from the
implementation of the security and privacy controls in the information system and inherited by
the system (i.e., common controls) and from the assessments of that implementation. Ideally, the
assessor is building on previously developed materials that started with the specification of the
organization’s information security and privacy needs and was further developed during the
design, development, and implementation of the information system. These materials, developed
while implementing security and privacy throughout the life cycle of the information system,
provide the initial evidence for an assurance case.
Assessors obtain the required evidence during the assessment process to allow the appropriate
organizational officials to make objective determinations about the effectiveness of the security
and privacy controls and the overall security and privacy state of the information system. The
assessment evidence needed to make such determinations can be obtained from a variety of
sources including, for example, information technology product and system assessments and, in
the case of privacy assessments, privacy compliance documentation such as Privacy Impact
Assessments and Privacy Act System of Record Notices. Product assessments (also known as
product testing, evaluation, and validation) are typically conducted by independent, third-party
testing organizations. These assessments examine the security and privacy functions of products
and established configuration settings. Assessments can be conducted to demonstrate compliance
to industry, national, or international information security standards, privacy standards embodied
in applicable laws and policies, and developer/vendor claims. Since many information technology
products are assessed by commercial testing organizations and then subsequently deployed in
millions of information systems, these types of assessments can be carried out at a greater level of
depth and provide deeper insights into the security and privacy capabilities of the particular
products.
System assessments are typically conducted by information systems developers, systems
integrators, information system owners, common control providers, assessors, auditors, Inspectors
General, and the information security and privacy staffs of organizations. The assessors or
assessment teams bring together available information about the information system such as the
results from individual component product assessments, if available, and conduct additional
system-level assessments using a variety of methods and techniques. System assessments are
used to compile and evaluate the evidence needed by organizational officials to determine how
effective the security and privacy controls employed in the information system are likely to be in
mitigating risks to organizational operations and assets, to individuals, to other organizations, and
to the Nation. The results of assessments conducted using information system-specific and
organization-specific assessment procedures derived from the guidelines in this publication
contribute to compiling the necessary evidence to determine security and privacy control
effectiveness in accordance with the assurance requirements documented in the security and
privacy plans.
2.4 ASSESSMENT PROCEDURES
An assessment procedure consists of a set of assessment objectives, each with an associated set of
potential assessment methods and assessment objects. An assessment objective includes a set of
determination statements related to the particular security or privacy control under assessment.
The determination statements are linked to the content of the security or privacy control (i.e., the
security/privacy control functionality) to ensure traceability of assessment results back to the
fundamental control requirements. The application of an assessment procedure to a security or
CHAPTER 2
PAGE 9
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
privacy control produces assessment findings. These findings reflect, or are subsequently used, to
help determine the overall effectiveness of the security or privacy control.
Assessment objects identify the specific items being assessed and include specifications,
mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g.,
policies, procedures, plans, system security and privacy requirements, functional specifications,
architectural designs) associated with an information system. Mechanisms are the specific
hardware, software, or firmware safeguards and countermeasures employed within an information
system. 20 Activities are the specific protection-related actions supporting an information system
that involve people (e.g., conducting system backup operations, monitoring network traffic,
exercising a contingency plan). Individuals, or groups of individuals, are people applying the
specifications, mechanisms, or activities described above.
Assessment methods define the nature of the assessor actions and include examine, interview, and
test. The examine method is the process of reviewing, inspecting, observing, studying, or
analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The
purpose of the examine method is to facilitate assessor understanding, achieve clarification, or
obtain evidence. The interview method is the process of holding discussions with individuals or
groups of individuals within an organization to once again, facilitate assessor understanding,
achieve clarification, or obtain evidence. The test method is the process of exercising one or more
assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual
with expected behavior. In all three assessment methods, the results are used in making specific
determinations called for in the determination statements and thereby achieving the objectives for
the assessment procedure. A complete description of assessment methods and assessment objects
is provided in Appendix D.
Assessment methods have a set of associated attributes, depth and coverage, which help define
the level of effort for the assessment. These attributes are hierarchical in nature, providing the
means to define the rigor and scope of the assessment for the increased assurances that may be
needed for some information systems. The depth attribute addresses the rigor of and level of
detail in the examination, interview, and testing processes. Values for the depth attribute include
basic, focused, and comprehensive. The coverage attribute addresses the scope or breadth of the
examination, interview, and testing processes including the number and type of specifications,
mechanisms, and activities to be examined or tested, and the number and types of individuals to
be interviewed. Similar to the depth attribute, values for the coverage attribute include basic,
focused, and comprehensive. The appropriate depth and coverage attribute values for a particular
assessment method are based on the assurance requirements specified by the organization. 21 As
assurance requirements increase with regard to the development, implementation, and operation
of security and privacy controls within or inherited by the information system, the rigor and scope
of the assessment activities (as reflected in the selection of assessment methods and objects and
the assignment of depth and coverage attribute values) tend to increase as well. Appendix D
provides a detailed description of assessment method attributes and attribute values.
20
Mechanisms also include physical protection devices associated with an information system (e.g., locks, keypads,
security cameras, fire protection devices, fireproof safes, etc.).
21
For other than national security systems, organizations meet minimum assurance requirements specified in Special
Publication 800-53, Appendix E.
CHAPTER 2
PAGE 10
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
Figure 1 illustrates an example of an assessment procedure developed to assess the effectiveness
of security control CP-9. The assessment objective for CP-9 is derived from the base control
statement described in NIST Special Publication 800-53, Appendix F. Potential assessment
methods and objects are added to the assessment procedure.
CP-9
INFORMATION SYSTEM BACKUP
ASSESSMENT OBJECTIVE:
Determine if the organization:
CP-9(a)
CP-9(b)
CP-9(c)
CP-9(d)
CP-9(a)[1]
defines a frequency, consistent with recovery time objectives and
recovery point objectives as specified in the information system
contingency plan, to conduct backups of user-level information
contained in the information system;
CP-9(a)[2]
conducts backups of user-level information contained in the
information system with the organization-defined frequency;
CP-9(b)[1]
defines a frequency, consistent with recovery time objectives and
recovery point objectives as specified in the information system
contingency plan, to conduct backups of system-level information
contained in the information system;
CP-9(b)[2]
conducts backups of system-level information contained in the
information system with the organization-defined frequency;
CP-9(c)[1]
defines a frequency, consistent with recovery time objectives and
recovery point objectives as specified in the information system
contingency plan, to conduct backups of information system
documentation including security-related documentation;
CP-9(c)[2]
conducts backups of information system documentation, including
security-related documentation, with the organization-defined
frequency; and
protects the confidentiality, integrity, and availability of backup information at
storage locations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing information system
backup; contingency plan; backup storage location(s); information system backup logs or
records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities;
organizational personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for conducting information system backups; automated
mechanisms supporting and/or implementing information system backups].
FIGURE 1: ASSESSMENT PROCEDURE FOR SECURITY CONTROL
The assessment objectives are numbered sequentially, first in accordance with the numbering
scheme in Special Publication 800-53, and subsequently, where necessary to further apportion the
security or privacy control requirements to facilitate assessment, bracketed sequential numbers
or letters, as opposed to parentheses, are used to make that distinction (e.g., CP-9(a), CP-9(a)[1],
CP-9(a)[2], CP-9(b)[1], CP-9(b)[2], CP-9(c)[1], CP-9(c)[2], CP-9(d), etc.). The initial bracketed
character is always a number. For some controls, the column with the initial control designation
(e.g., CP-9, CP-9(a), CP-9(b), and CP-9(c) in Figure 1) is simply a placeholder to help facilitate
apportioning the control while maintaining the formatting scheme. Although not explicitly noted
with each identified assessment method in the assessment procedure, the attribute values of depth
CHAPTER 2
PAGE 11
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
and coverage described in Appendix D are assigned by the organization and applied by the
assessor/assessment team in the execution of the assessment method against an assessment object.
If the control has any enhancements (as designated by sequential parenthetical numbers, for
example, CP-9 (3) for the third enhancement for CP-9), assessment objectives are developed for
each enhancement using the same process as for the base control. The resulting assessment
objectives are numbered sequentially in the same way as the assessment procedure for the base
control, first in accordance with the numbering scheme in Special Publication 800-53, and
subsequently, using bracketed sequential numbers or letters to further apportion control
enhancement requirements to facilitate assessments (e.g., CP-9(3)[1], CP-9(3)[2]). Figure 2
illustrates an example of an assessment procedure developed to assess the effectiveness of the
third enhancement to security control CP-9.
CP-9(3)
INFORMATION SYSTEM BACKUP
| SEPARATE STORAGE FOR CRITICAL INFORMATION
ASSESSMENT OBJECTIVE:
Determine if the organization:
CP-9(3)[1]
CP-9(3)[2]
CP-9(3)[1][a]
defines critical information system software and other securityrelated information requiring backup copies to be stored in a
separate facility; or
CP-9(3)[1][b]
defines critical information system software and other securityrelated information requiring backup copies to be stored in a
fire-rated container that is not collocated with the operational
system; and
stores backup copies of organization-defined critical information system
software and other security-related information in a separate facility or in a
fire-rated container that is not collocated with the operational system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing information system
backup; contingency plan; backup storage location(s); information system backup
configurations and associated documentation; information system backup logs or records;
other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation
responsibilities; organizational personnel with information system backup responsibilities;
organizational personnel with information security responsibilities].
FIGURE 2: ASSESSMENT PROCEDURE FOR SECURITY CONTROL ENHANCEMENT
Recall that numbers in parentheses immediately after the base control designation (as in Figure 2)
indicate the number of the control enhancement while letters in parentheses immediately after the
base control designation (as in Figure 1) indicate division of the base control into separate control
requirements. When further division of a control is necessary to support assessment, bracketed
characters that alternate between numbers and letters (e.g., CP-9(3)[1][a], CP-9(3)[1][b]) are used
with the initial bracketed character always being a number whether it follows a parenthetical
letter (base control) or number (control enhancement).
The Security Content Automation Protocol (SCAP) supports the assessment process for security
controls and facilitates more efficient and cost-effective assessments. SCAP is a collection of
related specifications for automating the collection and representation of evidence in a standardsbased format that enables interoperability between SCAP-enabled tools. The SCAP specifications
define the formats by which assessment criteria, also called SCAP content, can be exchanged and
CHAPTER 2
PAGE 12
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
provided to assessment tools. This content can be used to automate the collection and evaluation
of evidence sourced from both machine- and human-oriented artifacts. SCAP also defines formats
that capture and enable the exchange of results of collecting and evaluating artifacts. Typically,
machine-oriented artifacts that can be collected and evaluated using SCAP pertain to mechanisms
(e.g., configuration settings, installed hardware/software, operational state of countermeasures).
Additionally, human-oriented artifacts, such as those that pertain to specifications and activities,
can be collected using the Open Checklist Interactive Language (OCIL). OCIL is an SCAP
component specification that enables the collection and representation of interview data in a
standards-based format. The content-driven nature of SCAP-enabled automation solutions can
support flexible and consistent assessment of security and privacy controls.
CHAPTER 2
PAGE 13
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
CHAPTER THREE
THE PROCESS
CONDUCTING EFFECTIVE SECURITY AND PRIVACY CONTROL ASSESSMENTS
T
his chapter describes the process of assessing the security and privacy controls in
organizational information systems and environments of operation including: (i) the
activities carried out by organizations and assessors to prepare for security and privacy
control assessments; (ii) the development of security and privacy assessment plans; (iii) the
conduct of control assessments and the analysis, documentation, and reporting of assessment
results; and (iv) post-assessment report analysis and follow-on activities.
3.1 PREPARING FOR SECURITY AND PRIVACY CONTROL ASSESSMENTS
Conducting security control assessments and privacy control assessments in today’s complex
environment of sophisticated information technology infrastructures and high-visibility, missioncritical applications can be difficult, challenging, and resource-intensive. Security and privacy
control assessments may be conducted by different organizational entities with distinct oversight
responsibilities. However, success requires the cooperation and collaboration among all parties
having a vested interest in the organization’s information security or privacy posture, including
information system owners, common control providers, authorizing officials, chief information
officers, senior information security officers, senior agency officials for privacy/chief privacy
officers, chief executive officers/heads of agencies, security and privacy staffs, Inspectors
General, and OMB. Establishing an appropriate set of expectations before, during, and after an
assessment is paramount to achieving an acceptable outcomeâ€â€that is, producing information
necessary to help the authorizing official make a credible, risk-based decision on whether to place
the information system into operation or continue its operation.
Thorough preparation by the organization and the assessors is an important aspect of conducting
effective security control assessments and privacy control assessments. Preparatory activities
address a range of issues relating to the cost, schedule, and performance of the assessment. From
the organizational perspective, preparing for a security or privacy control assessment includes the
following key activities:
•
Ensuring that appropriate policies covering security and privacy control assessments,
respectively, are in place and understood by all affected organizational elements;
•
Ensuring that all steps in the RMF 22 prior to the security or privacy control assessment step,
have been successfully completed and received appropriate management oversight; 23
•
Establishing the objective and scope of assessments (i.e., the purpose of the assessments and
what is being assessed);
22
While the RMF can be employed for privacy controls (see Special Publication 800-53, Appendix J), privacy control
selection is conducted irrespective of the security categories of organizational information systems.
23
Conducting security control assessments in parallel with the development/acquisition and implementation phases of
the life cycle permits the identification of weaknesses and deficiencies early and provides the most cost-effective
method for initiating corrective actions. Issues found during these assessments can be referred to authorizing officials
for early resolution, as appropriate. The results of security control assessments carried out during system development
and implementation can also be used (consistent with reuse criteria) during the security authorization process to avoid
system fielding delays or costly repetition of assessments.
CHAPTER 3
PAGE 14
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
•
Ensuring that security and privacy controls identified as common controls (and the common
portion of hybrid controls) have been assigned to appropriate organizational entities (i.e.,
common control providers) for development and implementation; 24
•
Notifying key organizational officials of impending assessments and allocating necessary
resources to carry out the assessments;
•
Establishing appropriate communication channels among organizational officials having an
interest in the assessments; 25
•
Establishing time frames for completing the assessments and key milestone decision points
required by the organization to effectively manage the assessments;
•
Identifying and selecting competent assessors/assessment teams that will be responsible for
conducting the assessments, considering issues of assessor independence;
•
Collecting artifacts to provide to the assessors/assessment teams (e.g., policies, procedures,
plans, specifications, designs, records, administrator/operator manuals, information system
documentation, interconnection agreements, previous assessment results, legal requirements);
and
•
Establishing a mechanism between the organization and the assessors and/or assessment
teams to minimize ambiguities or misunderstandings about the implementation of security or
privacy controls and security/privacy control weaknesses/deficiencies identified during the
assessments.
Security and privacy control assessors/assessment teams begin preparing for their respective
assessments by:
•
Obtaining a general understanding of the organization’s operations (including mission,
functions, and business processes) and how the information system that is the subject of the
particular assessment supports those organizational operations;
•
Obtaining an understanding of the structure of the information system (i.e., system
architecture) and the security or privacy controls being assessed (including system-specific,
hybrid, and common controls);
•
Identifying the organizational entities responsible for the development and implementation of
the common controls (or the common portion of hybrid controls) supporting the information
system;
•
Meeting with appropriate organizational officials to ensure common understanding for
assessment objectives and the proposed rigor and scope of the assessment;
•
Obtaining artifacts needed for the assessment (e.g., policies, procedures, plans, specifications,
designs, records, administrator and operator manuals, information system documentation,
interconnection agreements, previous assessment results);
24
Security control assessments and privacy control assessments include common controls that are the responsibility of
organizational entities other than the information system owner inheriting the controls or hybrid controls where there is
shared responsibility among the system (or program) owner and designated organizational entities.
25
Depending upon whether security controls or privacy controls are being assessed, these individuals typically include
authorizing officials, information system (or program) owners, common control providers, mission/business owners,
information owners/stewards, chief information officers, senior information security officers, senior agency officials
for privacy/chief privacy officers, privacy staff, Inspectors General, information system security officers, users from
organizations that the information system supports, and assessors.
CHAPTER 3
PAGE 15
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
•
Establishing appropriate organizational points of contact needed to carry out the assessments;
•
Obtaining previous assessment results that may be appropriately reused for the current
assessment (e.g., Inspector General reports, audits, vulnerability scans, physical security
inspections, prior security or privacy assessments, developmental testing and evaluation,
vendor flaw remediation activities, ISO/IEC 15408 [Common Criteria] evaluations); and
•
Developing security and privacy assessment plans which may be integrated into one plan or
developed separately.
In preparation for the assessment of security or privacy controls, the necessary background
information is assembled and made available to the assessors or assessment team. 26 To the extent
necessary to support the specific assessment, and depending upon whether security controls or
privacy controls are being assessed, the organization identifies and arranges access to: (i)
elements of the organization responsible for developing, documenting, disseminating, reviewing,
and updating all security or privacy policies and associated procedures for implementing policycompliant controls; (ii) the security or privacy policies for the information system and any
associated implementing procedures; (iii) individuals or groups responsible for the development,
implementation, operation, and maintenance of security or privacy controls; (iv) any materials
(e.g., security or privacy plans, records, schedules, assessment reports, after-action reports,
agreements, authorization packages) associated with the implementation and operation of the
security or privacy controls to be assessed; and (v) the specific objects to be assessed. 27 The
availability of essential documentation as well as access to key organizational personnel and the
information system being assessed are paramount to a successful assessment.
Organizations consider both the technical expertise and level of independence required in
selecting security or privacy control assessors. Organizations ensure that assessors possess the
required skills and technical expertise to successfully carry out assessments of system-specific,
hybrid, and common controls. 28 This includes knowledge of and experience with the specific
hardware, software, and firmware components employed by the organization. An independent
assessor is any individual capable of conducting an impartial assessment of security and privacy
controls employed within or inherited by an information system. Impartiality implies that security
control assessors and privacy control assessors are free from any perceived or actual conflicts of
interest with respect to the development, operation, and/or management of the information system
or the determination of security or privacy control effectiveness. 29 The authorizing official or
designated representative determines the required level of independence for assessors based on
the results of the security categorization process for the information system (in the case of
security control assessments) and the risk to organizational operations and assets, individuals,
other organizations, and the Nation. The authorizing official determines if the level of assessor
independence is sufficient to provide confidence that the assessment results produced are sound
26
Information system (or program) owners and organizational entities developing, implementing, and/or administering
common controls (i.e., common control providers) are responsible for providing needed information to assessors.
27
In situations where there are multiple security or privacy assessments ongoing or planned within an organization,
access to organizational elements, individuals, and artifacts supporting the assessments is centrally managed by the
organization to ensure a cost-effective use of time and resources.
28
The National Cybersecurity Workforce Framework provides information about skill sets and technical expertise
needed by security or privacy control assessors. See www.niccs.us-cert.gov/training/tc/framework.
29
Contracted assessment services are considered independent if the information system (or program) owner is not
directly involved in the contracting process or cannot unduly influence the independence of the assessor(s) conducting
the assessment of the security or privacy controls.
CHAPTER 3
PAGE 16
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
and can be used to make a risk-based decision on whether to place the information system into
operation or continue its operation.
Independent security and privacy control assessment services can be obtained from other
elements within the organization or can be contracted to a public or private sector entity outside
of the organization. In special situations, for example when the organization that owns the
information system is small or the organizational structure requires that the security or privacy
control assessment be accomplished by individuals that are in the developmental, operational,
and/or management chain of the system owner, independence in the assessment process can be
achieved by ensuring that the assessment results are carefully reviewed and analyzed by an
independent team of experts to validate the completeness, consistency, and veracity of the
results. 30
3.2 DEVELOPING SECURITY AND PRIVACY ASSESSMENT PLANS
The security assessment plan and privacy assessment plan provide the objectives for the security
and privacy control assessments, respectively, and a detailed roadmap of how to conduct such
assessments. These plans may be developed as one integrated plan or as distinct plans, depending
upon organizational needs. The following steps are considered by assessors in developing plans to
assess the security or privacy controls in organizational information systems or inherited by those
systems:
•
Determine which security and privacy controls/control enhancements are to be included in
assessments based upon the contents of the security plan and privacy plan and the purpose
and scope of the assessments;
•
Select the appropriate assessment procedures to be used during assessments based on the
security or privacy controls and control enhancements to be included in the assessments;
•
Tailor the selected assessment procedures (e.g., select appropriate assessment methods and
objects, assign depth and coverage attribute values);
•
Develop additional assessment procedures to address any security requirements or privacy
requirements or controls that are not sufficiently covered by Special Publication 800-53;
•
Optimize the assessment procedures to reduce duplication of effort (e.g., sequencing and
consolidating assessment procedures) and provide cost-effective assessment solutions; and
•
Finalize assessment plans and obtain the necessary approvals to execute the plans.
3.2.1 Determine which security or privacy controls are to be assessed.
The security plan and privacy plan provide an overview of the security and privacy requirements,
respectively, for the information system and organization and describe the security controls and
privacy controls in place or planned for meeting those requirements. The assessor starts with the
security or privacy controls described in the security or privacy plan and considers the purpose of
the assessment. A security or privacy control assessment can be a complete assessment of all
controls in the information system or inherited by the system (e.g., during an initial security or
privacy authorization process) or a partial assessment of the controls in the information system or
inherited by the system (e.g., during system development as part of a targeted assessment
30
The authorizing official consults with the Office of the Inspector General, the senior information security officer,
senior agency officials for privacy/chief privacy officers, and the chief information officer, as appropriate, to discuss
the implications of any decisions on assessor independence in the types of special circumstances described above.
CHAPTER 3
PAGE 17
Special Publication 800-53A
Revision 4
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations  Building Effective Assessment Plans
________________________________________________________________________________________________
resulting from changes affecting specific controls, or where controls were previously assessed
and the results accepted in the reciprocity process).
For partial assessments, information system owners and common control providers collaborate
with organizational officials having an interest in the assessment (e.g., senior information security
officers, senior agency officials for privacy/chief privacy officers, mission/information owners,
Inspectors General, and authorizing officials) to determine which security or privacy controls are
to be assessed. The determination of the controls to be assessed depends on the purpose of the
assessment. For example, during the initial phases of the system development life cycle, specific
controls may be selected for assessment to promote early detection of weakness and deficiencies
and a more cost-effective approach to risk mitigation. After the initial authorization to operate has
been granted, targeted assessments may need to be conducted when changes are made to the
system, specific security or privacy controls, or to the environment of operation. In such cases,
the focus for the assessment is on the security or privacy controls that may have been affected by
the change.
3.2.2 Select procedures to assess the security or privacy controls.
Special Publication 800-53A provides assessment procedures for each security and privacy
control and control enhancement in Special Publication 800-53. For each security or privacy
control in the security plan and privacy plan to be included in the assessment, assessors select the
corresponding assessment procedure from Appendix F (security assessment procedures) or
Appendix J (privacy assessment procedures). The selected assessment procedures can vary from
assessment to assessment based on the current content of the security plans and privacy plans and
the purpose of the assessment (e.g., complete assessment, partial assessment).
3.2.3 Tailor assessment procedures.
In a similar manner to how the security controls and privacy controls from Special Publication
800-53 are tailored for the organization’s mission, business functions, characteristics of the
information system, and operating environment, organizations tailor the assessment procedures
listed in Appendices F and J to meet specific organizational needs. Organizations have the
flexibility to perform the tailoring process at the organization leve…
Purchase answer to see full
attachment
