Conducting security control assessments and privacy control assessments in today’s complex environment of sophisticated information technology infrastructures and high-visibility, mission-critical applications can be difficult, challenging, and resource-intensive. Security and privacy control assessments may be conducted by different organizational entities with distinct oversight responsibilities. However, success requires the cooperation and collaboration among all parties having a vested interest in the organization’s information security or privacy posture, including information system owners, common control providers, authorizing officials, chief information officers, senior information security officers, senior agency officials for privacy/chief privacy officers, chief executive officers/heads of agencies, security and privacy staffs, Inspectors General, and OMB. Establishing an appropriate set of expectations before, during, and after an assessment is paramount to achieving an acceptable outcome—that is, producing information necessary to help the authorizing official make a credible, risk-based decision on whether to place the information system into operation or continue its operation.

Thorough preparation by the organization and the assessors is an important aspect of conducting effective security control assessments and privacy control assessments. Preparatory activities address a range of issues relating to the cost, schedule, and performance of the assessment. From the organizational perspective, preparing for a security or privacy control assessment includes the following key activities:

•Ensuring that appropriate policies covering security and privacy control assessments, respectively, are in place and understood by all affected organizational elements;

•Ensuring that all steps in the RMF22 prior to the security or privacy control assessment step, have been successfully completed and received appropriate management oversight;23

•Establishing the objective and scope of assessments (i.e., the purpose of the assessments and what is being assessed);

•Ensuring that security and privacy controls identified as common controls (and the common portion of hybrid controls) have been assigned to appropriate organizational entities (i.e., common control providers) for development and implementation;24

•Notifying key organizational officials of impending assessments and allocating necessary resources to carry out the assessments;

•Establishing appropriate communication channels among organizational officials having an interest in the assessments;25

•Establishing time frames for completing the assessments and key milestone decision points required by the organization to effectively manage the assessments;

•Identifying and selecting competent assessors/assessment teams that will be responsible for conducting the assessments, considering issues of assessor independence;

•Collecting artifacts to provide to the assessors/assessment teams (e.g., policies, procedures, plans, specifications, designs, records, administrator/operator manuals, information system documentation, interconnection agreements, previous assessment results, legal requirements); and

•Establishing a mechanism between the organization and the assessors and/or assessment teams to minimize ambiguities or misunderstandings about the implementation of security or privacy controls and security/privacy control weaknesses/deficiencies identified during the assessments.

Security and privacy control assessors/assessment teams begin preparing for their respective assessments by:

•Obtaining a general understanding of the organization’s operations (including mission, functions, and business processes) and how the information system that is the subject of the particular assessment supports those organizational operations;

•Obtaining an understanding of the structure of the information system (i.e., system architecture) and the security or privacy controls being assessed (including system-specific, hybrid, and common controls);

•Identifying the organizational entities responsible for the development and implementation of the common controls (or the common portion of hybrid controls) supporting the information system;

•Meeting with appropriate organizational officials to ensure common understanding for assessment objectives and the proposed rigor and scope of the assessment;

•Obtaining artifacts needed for the assessment (e.g., policies, procedures, plans, specifications, designs, records, administrator and operator manuals, information system documentation, interconnection agreements, previous assessment results);

•Establishing appropriate organizational points of contact needed to carry out the assessments;

•Obtaining previous assessment results that may be appropriately reused for the current assessment (e.g., Inspector General reports, audits, vulnerability scans, physical security inspections, prior security or privacy assessments, developmental testing and evaluation, vendor flaw remediation activities, ISO/IEC 15408 [Common Criteria] evaluations); and

•Developing security and privacy assessment plans which may be integrated into one plan or developed separately.

In preparation for the assessment of security or privacy controls, the necessary background information is assembled and made available to the assessors or assessment team.26 To the extent necessary to support the specific assessment, and depending upon whether security controls or privacy controls are being assessed, the organization identifies and arranges access to: (i) elements of the organization responsible for developing, documenting, disseminating, reviewing, and updating all security or privacy policies and associated procedures for implementing policy-compliant controls; (ii) the security or privacy policies for the information system and any associated implementing procedures; (iii) individuals or groups responsible for the development, implementation, operation, and maintenance of security or privacy controls; (iv) any materials (e.g., security or privacy plans, records, schedules, assessment reports, after-action reports, agreements, authorization packages) associated with the implementation and operation of the security or privacy controls to be assessed; and (v) the specific objects to be assessed.27 The availability of essential documentation as well as access to key organizational personnel and the information system being assessed are paramount to a successful assessment.

Organizations consider both the technical expertise and level of independence required in selecting security or privacy control assessors. Organizations ensure that assessors possess the required skills and technical expertise to successfully carry out assessments of system-specific, hybrid, and common controls.28 This includes knowledge of and experience with the specific hardware, software, and firmware components employed by the organization. An independent assessor is any individual capable of conducting an impartial assessment of security and privacy controls employed within or inherited by an information system. Impartiality implies that security control assessors and privacy control assessors are free from any perceived or actual conflicts of interest with respect to the development, operation, and/or management of the information system or the determination of security or privacy control effectiveness.29 The authorizing official or designated representative determines the required level of independence for assessors based on the results of the security categorization process for the information system (in the case of security control assessments) and the risk to organizational operations and assets, individuals, other organizations, and the Nation. The authorizing official determines if the level of assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a risk-based decision on whether to place the information system into operation or continue its operation.

Independent security and privacy control assessment services can be obtained from other elements within the organization or can be contracted to a public or private sector entity outside of the organization. In special situations, for example when the organization that owns the information system is small or the organizational structure requires that the security or privacy control assessment be accomplished by individuals that are in the developmental, operational, and/or management chain of the system owner, independence in the assessment process can be achieved by ensuring that the assessment results are carefully reviewed and analyzed by an independent team of experts to validate the completeness, consistency, and veracity of the results.30