Objectives, Methods, And Objects For Assessing Security Controls

This appendix provides a catalog of procedures to assess the security controls and control enhancements in Special Publication 800-53.47 Assessors select assessment procedures from the catalog in accordance with the guidance provided in Section 3.2. Since the contents of the security plan affect the development of the security assessment plan and the assessment, there will likely be assessment procedures in the catalog that assessors will not use because: (i) the associated security controls or control enhancements are not contained in the security plan for the information system; or (ii) the security controls or control enhancements are not being assessed at this particular time.

Assessment objectives are numbered sequentially, first in accordance with the numbering scheme in Special Publication 800-53, and subsequently, where necessary to further apportion the security control requirements to facilitate assessment, bracketed sequential numbers or letters, as opposed to parentheses, are used to make that distinction (e.g., CP-9(a), CP-9(a)[1], CP-9(a)[2], etc.).

•The initial bracketed character is always a number.

•For some security controls, the column with the initial control designation (e.g., CP-9, CP-9(a)) is simply a placeholder to help facilitate apportioning the control while maintaining the formatting scheme.

•Although not explicitly noted with each identified assessment method in the assessment procedure, the attribute values of depth and coverage described in Appendix D are typically assigned by the organization and applied by the assessor or assessment team in the execution of the assessment method against an assessment object.

•If the security control has any enhancements (as designated by sequential parenthetical numbers, for example, CP-9(3) for the third enhancement to CP-9), assessment objectives are numbered sequentially in the same way as the assessment procedure for the base control, first in accordance with the numbering scheme in Special Publication 800-53, and subsequently, using bracketed sequential numbers or letters to further apportion control enhancement requirements to facilitate assessments (e.g., CP-9(3)[1], CP-9(3)[2]).

The same assessment object may appear in multiple object lists in a variety of assessment procedures. The same object may be used in multiple contexts to obtain needed information or evidence for a particular aspect of an assessment. Assessors use the general references as appropriate to obtain the necessary information to make the specified determinations required by the assessment objective. For example, a reference to access control policy appears in the assessment procedures for AC-2 and AC-7. For assessment procedure AC-2, assessors use the access control policy to find information about that portion of the policy that addresses account management for the information system. For assessment procedure AC-7, assessors use the access control policy to find information about that portion of the policy that addresses unsuccessful login attempts for the information system.

Assessors are responsible for combining and consolidating the assessment procedures whenever possible or practical. Optimizing assessment procedures can save time, reduce assessment costs, and maximize the usefulness of assessment results. Assessors optimize assessment procedures by determining the best sequencing of the procedures. The assessment of some security controls before others may provide information that facilitates understanding and assessment of other controls.