Information Security Management Systems
Implementations and Assessments for Compliance
Security control assessments and privacy control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, such assessments are the principal vehicle used to verify that implemented security controls and privacy controls are meeting their stated goals and objectives.
Special Publication 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments and privacy control assessments conducted within an effective risk management framework. The control assessment results provide organizational officials with:
•Evidence about the effectiveness of implemented controls;
•An indication of the quality of the risk management processes employed within the organization; and
•Information about the strengths and weaknesses of information systems which are supporting organizational missions and business functions in a global environment of sophisticated and changing threats.
The findings produced by assessors are used to determine the overall effectiveness of security and privacy controls associated with information systems (including system-specific, common, and hybrid controls) and their environments of operation and to provide credible and meaningful inputs to the organization’s risk management process. A well-executed assessment helps to: (i) determine the validity of the controls contained in the organization’s security plans and privacy plans and subsequently employed in organizational information systems and environments of operation; and (ii) facilitate a cost-effective approach to correcting weaknesses or deficiencies in systems in an orderly and disciplined manner consistent with organizational mission/business needs.
•Special Publication 800-53A is a companion guideline to Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Each publication provides guidance for implementing specific steps in the Risk Management Framework (RMF).
•Special Publication 800-53 covers Step 2 in the RMF, security and privacy control selection (i.e., determining what controls are needed to manage risks to organizational operations and assets, individuals, other organizations, and the Nation).
•Special Publication 800-53A covers RMF Step 4, Assess, and RMF Step 6, Monitor, and provides guidance on the security assessment and privacy assessment processes. This guidance includes how to build effective assessment plans and how to analyze and manage assessment results.
•Special Publication 800-53A allows organizations to tailor the basic assessment procedures provided. The concepts of tailoring used in this document are similar to the concepts described in Special Publication 800-53. Tailoring involves customizing the assessment procedures to more closely match the characteristics of the information system and its environment of operation. The tailoring process gives organizations the flexibility needed to avoid assessment approaches that are unnecessarily complex or costly while simultaneously meeting the assessment requirements established by applying the fundamental concepts in the RMF. Tailoring can also include adding assessment procedures or assessment details to adequately meet the risk management needs of the organization (e.g., adding system/platform-specific information for selected controls). Tailoring decisions are left to the discretion of the organization in order to maximize the flexibility in developing assessment plans—applying the results of risk assessments to determine the extent, rigor, and level of intensity of the assessments.
While flexibility continues to be an important factor in developing security assessment plans and privacy assessment plans, consistency of assessments is also an important consideration. A major design objective for Special Publication 800-53A is to provide an assessment framework and initial starting point for assessment procedures that are essential for achieving such consistency.
NIST initiated the Security Content Automation Protocol (SCAP) project that supports the approach for achieving consistent, cost-effective security control assessments. The primary purpose of SCAP is to standardize the format and nomenclature used for communicating information about configurations and security flaws. This standardization enables automated system configuration assessment, vulnerability assessment, patch checking, as well as report aggregation and interoperability between SCAP-enabled security products. As a result, SCAP enables organizations to identify and reduce vulnerabilities associated with products that are not patched or insecurely configured. SCAP also includes the Open Checklist Interactive Language (OCIL) specification that provides the capability to express the determination statements in the assessment procedures in Appendix F in a framework that will establish interoperability with the SCAP-enabled tools.
Privacy control assessments are discussed separately in Appendix J to this publication.