Guidance for NIST 800-171 Assessment & Compliance
Figure 1 illustrates an example of an assessment procedure developed to assess the effectiveness of security control CP-9. The assessment objective for CP-9 is derived from the base control statement described in NIST Special Publication 800-53, Appendix F. Potential assessment methods and objects are added to the assessment procedure.
cp-9 |
information system backup |
||
|
assessment objective: Determine if the organization: |
||
cp-9(a) |
cp-9(a)[1] |
defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system; |
|
cp-9(a)[2] |
conducts backups of user-level information contained in the information system with the organization-defined frequency; |
||
cp-9(b) |
cp-9(b)[1] |
defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system; |
|
cp-9(b)[2] |
conducts backups of system-level information contained in the information system with the organization-defined frequency; |
||
cp-9(c) |
cp-9(c)[1] |
defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation; |
|
cp-9(c)[2] |
conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and |
||
cp-9(d) |
protects the confidentiality, integrity, and availability of backup information at storage locations. |
||
potential assessment methods and objects: Examine: [select from: Contingency planning policy; procedures addressing information system backup; contingency plan; backup storage location(s); information system backup logs or records; other relevant documents or records]. Interview: [select from: Organizational personnel with information system backup responsibilities; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for conducting information system backups; automated mechanisms supporting and/or implementing information system backups]. |
|||
FIGURE 1: ASSESSMENT PROCEDURE FOR SECURITY CONTROL
The assessment objectives are numbered sequentially, first in accordance with the numbering scheme in Special Publication 800-53, and subsequently, where necessary to further apportion the security or privacy control requirements to facilitate assessment, bracketed sequential numbers or letters, as opposed to parentheses, are used to make that distinction (e.g., CP-9(a), CP-9(a)[1], CP-9(a)[2], CP-9(b)[1], CP-9(b)[2], CP-9(c)[1], CP-9(c)[2], CP-9(d), etc.). The initial bracketed character is always a number. For some controls, the column with the initial control designation (e.g., CP-9, CP-9(a), CP-9(b), and CP-9(c) in Figure 1) is simply a placeholder to help facilitate apportioning the control while maintaining the formatting scheme. Although not explicitly noted with each identified assessment method in the assessment procedure, the attribute values of depth and coverage described in Appendix D are assigned by the organization and applied by the assessor/assessment team in the execution of the assessment method against an assessment object.
If the control has any enhancements (as designated by sequential parenthetical numbers, for example, CP-9 (3) for the third enhancement for CP-9), assessment objectives are developed for each enhancement using the same process as for the base control. The resulting assessment objectives are numbered sequentially in the same way as the assessment procedure for the base control, first in accordance with the numbering scheme in Special Publication 800-53, and subsequently, using bracketed sequential numbers or letters to further apportion control enhancement requirements to facilitate assessments (e.g., CP-9(3)[1], CP-9(3)[2]). Figure 2 illustrates an example of an assessment procedure developed to assess the effectiveness of the third enhancement to security control CP-9.
