NIST SP 800-53A

________________________________________________________________________________________________

APPENDIX G

SECURITY ASSESSMENT REPORTS

DOCUMENTING THE FINDINGS FROM SECURITY CONTROL ASSESSMENTS

The primary purpose of the security assessment report is to convey the results of the security assessment to appropriate organizational officials. The security assessment report is included in the security authorization package along with the security plan (including an

updated risk assessment), and the plan of action and milestones to provide authorizing officials with the information necessary to make credible, risk-based decisions on whether to place an information system into operation or continue its operation. As the security assessment and authorization process becomes more dynamic in nature, relying to a greater degree on the continuous monitoring aspects of the process as an integrated and tightly coupled part of the system development life cycle, the ability to update the security assessment report frequently becomes a critical aspect of an information security program.

It is important to emphasize the relationship, described in Special Publication 800-37, among the three key documents in the authorization package (i.e., the security plan, the security assessment report, and the plan of action and milestones). It is these documents that provide the most reliable indication of the overall security state of the information system and the ability of the system to protect to the degree necessary, the organization’s operations and assets, individuals, other organizations, and the Nation. Updates to these key documents are provided on an ongoing basis in accordance with the continuous monitoring program established by the organization.

The security assessment report provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any weaknesses or deficiencies in the security controls.51 This appendix provides a template for reporting the results from security control assessments. Organizations are not restricted to the specific template format; however, it is anticipated that the overall report of an assessment will include similar information to that detailed in the template for each security control assessed, preceded by a summary providing the list of all security controls assessed and the overall status of each control.

Key Elements for Assessment Reporting

The following elements are included in security assessment reports:52

•Information system name;

•Security categorization;

•Site(s) assessed and assessment date(s);

•Assessor’s name/identification;

•Previous assessment results (if reused);

51While the rationale for each determination made is a part of the formal Security Assessment Report, the complete set of records produced as a part of the assessment is likely not included in the report. However, organizations retain the portion of these records necessary for maintaining an audit trail of assessment evidence, facilitating reuse of evidence as appropriate, and promoting repeatability of assessor actions.

52Information available in other key organizational documents (e.g., security plan, risk assessment, plan of action and milestones, or security assessment plan) need not be duplicated in the security assessment report.

________________________________________________________________________________________________

•Security control or control enhancement designator;

•Selected assessment methods and objects;

•Depth and coverage attributes values;

•Assessment finding summary (indicating satisfied or other than satisfied);

•Assessor comments (weaknesses or deficiencies noted); and

•Assessor recommendations (priorities, remediation, corrective actions, or improvements).

The Assessment Findings

Each determination statement executed by an assessor results in one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). Consider the following example for security control CP-2. The assessment procedure for CP-2 consists of two assessment objectives denoted CP-2.1 and CP-2.2. The assessor initially executes CP-2.1 and produces the following findings:

In a similar manner, the assessor executes CP-2.2 and produces appropriate findings. During an actual security control assessment, the assessment findings, comments, and recommendations are documented on a Security Assessment Reporting Form. Organizations are encouraged to develop standard templates for reporting that contain the key elements for assessment reporting described above. Whenever possible, automation is used to make assessment data collection and reporting cost-effective, timely, and efficient.

________________________________________________________________________________________________

APPENDIX H

ASSESSMENT CASES

WORKED EXAMPLES OF ASSESSOR ACTIONS DERIVED FROM ASSESSMENT PROCEDURES

To provide assessors with additional tools and techniques for implementing the assessment procedures in Appendix F, NIST initiated the Assessment Case Development Project.53 The purpose of the project is fourfold: (i) to actively engage experienced assessors from

multiple organizations in recommending assessment cases that describe specific assessor actions to implement the assessment procedures in Appendix F; (ii) to provide organizations and the assessors supporting those organizations with an exemplary set of assessment cases for each assessment procedure in Appendix F; (iii) to provide a vehicle for ongoing community-wide review of the assessment cases to promote continuous improvement in the security control assessment process for more consistent, effective, and cost-effective security assessments of federal information systems; and (iv) to serve as a basis for reciprocity among various communities of interest. The assessment case development process is described in this appendix and several examples of assessment cases are provided.

Assessment Case Description and Template

The concept of assessment cases emerged during the development process of Special Publication 800-53A. Some organizations prefer the flexibility offered by the generalized assessment procedures in Appendix F, with the opportunity to tailor the procedures for specific organizational requirements and operational environments and to create specific assessor actions and activities for a particular security assessment. Other organizations prefer a more prescriptive approach and desire, to the greatest extent possible, a predefined set of specific assessor actions and activities needed to successfully carry out a security assessment. To facilitate the specificity of the latter approach while maintaining the flexibility of the former approach, assessment cases have been developed for all assessment procedures in Appendix F of this document.

An assessment case represents a worked example of an assessment procedure, identifying the specific actions that an assessor might carry out during the assessment of a security control or control enhancement in an information system. There is one assessment case per control, covering all assessment objectives from the assessment procedure in Appendix F for that control (both base control and all enhancements). The assessment case provides an example by experienced assessors of a potential set of specific assessor action steps to accomplish the assessment that were developed with consideration for the list of potential assessment methods and objects, and incorporating the level of coverage and depth to be applied and the specific purpose to be achieved by each assessor action. This additional level of detail in the assessment cases provides assessors with more prescriptive assessment information. Yet, while being more prescriptive, the assessment cases are not intended to restrict assessor flexibility provided as part of the design principles in Special Publication 800-53A. The assessor remains responsible for making the specified determinations and for providing adequate rationale for the determinations made.

53 NIST initiated the Assessment Case Development Project in October 2007 in cooperation with the Departments of Justice, Energy, Transportation, and the Intelligence Community. The interagency task force developed a full suite of assessment cases based on the assessment procedures provided in Special Publication 800-53A. The assessment cases are available to all public and private sector organizations and can be downloaded from the NIST web site at http://csrc.nist.gov/sec-cert.

________________________________________________________________________________________________

The following template is used to create the specific assessment cases for the assessment procedures in Appendix F.

ASSESSMENT CASE

ASSESSMENT – Base Control, Part 1 of x (where x is the number of assessment objectives)

Assessment Information from Special Publication 800-53A

This section contains the determinations and potential assessment methods and objects from Special Publication 80053A, with a separate row for each unique determination. The numbering in the column to the left associates a unique number with each specific determination. This numbering is used to link the assessor action steps below to the determinations.

Additional Assessment Case Information

This section contains the additional information provided by the assessment case to help the assessor in planning and conducting the security control assessment.

Legend

AA: Alphanumeric characters representing security control family in Special Publication 800-53. N: Numeric character representing the security control number within the family of controls.

n: Number of determination statements in the assessment object.

m: Number of action steps associated with a specific determination statement.

________________________________________________________________________________________________

Cautionary Note

The assessment cases developed for this project are not the only acceptable assessment cases; rather, the cases represent one possible set of assessor actions for organizations (and assessors supporting those organizations) to use in helping to determine the effectiveness of the security controls employed within the information systems undergoing assessments. The following assessment procedure for security control AC-3, illustrates how assessment cases are developed from the template on the preceding page. The assessment cases and any ongoing updates to the cases, will be published regularly on the FISMA Implementation Project Web site at http://csrc.nist.gov/sec-cert.

________________________________________________________________________________________________

ASSESSMENT CASE EXAMPLE

ASSESSMENT CASE

ASSESSMENT – Base Control

Assessment Information from Special Publication 800-53A

________________________________________________________________________________________________

ASSESSMENT – Control Enhancement 1

Assessment Information from Special Publication 800-53A

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control devices; access control records; audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access restrictions to media storage areas].

Additional Assessment Case Information

POTENTIAL ASSESSMENT SEQUENCING:

________________________________________________________________________________________________

ASSESSMENT CASE

MP-2(1).1.1.2 Examine documentation describing the current configuration settings for an agreed-upon specific sample of automated mechanisms identified in MP-2(1).1.1.1; reviewing for indication that the mechanisms are configured as identified in MP-2(1).1.1.1.

MP-2(1).1.1.3 Examine an agreed-upon specific sample of media storage facilities; observing for indication that the mechanisms identified in MP-2(1).1.1.1 are implemented as intended.

MP-2(1).1.1.4 Examine an agreed-upon specific sample of media storage facilities; inspecting for indication that the mechanisms identified in MP-2(1).1.1.1 are implemented as intended.

MP-2(1).1.1.5 Test an agreed-upon specific sample of automated mechanisms identified in MP-2(1).1.1.1; conducting focused testing for evidence that the mechanisms operate as intended.

MP-2(1).1.2.1 Examine information system media protection policy and procedures, audit and accountability policy and procedures, physical and environmental protection policy and procedures, security plan, or other relevant documents; reviewing for the automated mechanisms and configuration settings to be employed to audit access attempts and access granted to media access areas.

MP-2(1).1.2.2 Examine documentation describing the current configuration settings for an agreed-upon specific sample of automated mechanisms identified in MP-2(1)1.2.1; reviewing for indication that the mechanisms are configured as identified in MP-2(1).1.2.1.

Note to assessor: Consideration for selecting the specific sample include: selected audit and accountability policies (access attempts/access granted), how many media storage areas should be included in the sample, and how many instances of access attempts are to be examined.

MP-2(1).1.2.3 Test an agreed-upon specific sample of automated mechanisms identified in MP-2(1).1.2.1; conducting focused testing for evidence that the mechanisms operate as intended.

Note to assessor: See note for MP-2(1).1.2.2 above.

ASSESSMENT – Control Enhancement 2

Assessment Information from Special Publication 800-53A

ASSESSMENT OBJECTIVE:

Additional Assessment Case Information

POTENTIAL ASSESSMENT SEQUENCING:

________________________________________________________________________________________________

ASSESSMENT CASE

MP-2(2).1.1.2 Examine documentation describing the current configuration settings for an agreed-upon specific sample of automated mechanisms identified in MP-2(1)1.2.1; reviewing for indication that the mechanisms are configured as identified in MP-2(2).1.1.1.

Note to assessor: Consideration for selecting the specific sample include: selected audit and accountability policies (access attempts/access granted), how many media storage areas should be included in the sample, and how many instances of access attempts are to be examined.

MP-2(2).1.1.3 Test an agreed-upon specific sample of automated mechanisms identified in MP-2(2).1.1.2; conducting focused testing for evidence that the mechanisms operate as intended.

Note to assessor: See note for MP-2(2).1.1.2 above.