Documenting The Findings From Security And Privacy Control Assessments

The primary purpose of the security and privacy assessment reports is to convey the results of the security and privacy control assessments to appropriate organizational officials.  The security assessment report is included in the security authorization package along with the security plan (including an updated risk assessment) and the plan of action and milestones to provide authorizing officials with the information necessary to make risk-based decisions on whether to place an information system into operation or continue its operation. Organizations may choose to include similar privacy-related artifacts in the authorization package to convey essential information to authorizing officials. All issues associated with compliance to privacy-related legislation, directives, regulations, or policies are coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer.49 As the assessment and authorization process becomes more dynamic in nature, relying to a greater degree on the continuous monitoring aspects of the process as an integrated and tightly coupled part of the system development life cycle, the ability to update the security and privacy assessment reports frequently becomes a critical aspect of information security and privacy programs.

It is important to emphasize the relationship, described in Special Publication 800-37, among the three key documents in the authorization package (i.e., the security plan, the security assessment report, and the plan of action and milestones). It is these documents that provide the most reliable indication of the overall security state of the information system and the ability of the system to protect to the degree necessary, the organization’s operations and assets, individuals, other organizations, and the Nation. Updates to these key documents are provided on an ongoing basis in accordance with the continuous monitoring program established by the organization. Updates to similar privacy-related documents occur at a frequency and format determined by the SAOP in coordination with authorizing officials.

The security and privacy assessment reports provide a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any weaknesses or deficiencies in the security and privacy controls.50 This appendix provides a template for reporting the results from security and privacy control assessments. Organizations are not restricted to the specific template format; however, it is anticipated that the overall report of an assessment will include similar information to that detailed in the template for each security and privacy control assessed, preceded by a summary providing the list of all security and privacy controls assessed and the overall status of each control.