Reuse of assessment results from previously accepted or approved assessments is considered in the body of evidence for determining overall security or privacy control effectiveness. Previously accepted or approved assessments include: (i) those assessments of common controls that are managed by the organization and support multiple information systems; (ii) assessments of security or privacy controls that are reviewed as part of the control implementation (e.g., CP-2 requires a review of the contingency plan); or (iii) security-related information generated by the organization’s Information Security Continuous Monitoring program. The acceptability of using previous assessment results in a security control assessment or privacy control assessment is coordinated with and approved by the users of the assessment results. It is essential that information system owners and common control providers collaborate with authorizing officials and other appropriate organizational officials in determining the acceptability of using previous assessment results. When considering the reuse of previous assessment results and the value of those results to the current assessment, assessors determine: (i) the credibility of the assessment evidence; (ii) the appropriateness of previous analysis; and (iii) the applicability of the assessment evidence to current information system operating conditions. If previous assessment results are reused, the date of the original assessment and type of assessment are documented in the security assessment plan or privacy assessment plan and security assessment report or privacy assessment report. When applicable, the standardized security assessment results provided by SCAP tools may be reused by multiple parties.

It may be necessary, in certain situations, to supplement previous assessment results under consideration for reuse with additional assessment activities to fully address the assessment objectives. For example, if an independent evaluation of an information technology product did not test a particular configuration setting that is employed by the organization in an information system, then the assessor may need to supplement the original test results with additional testing to cover that configuration setting for the current information system environment. The decision to reuse assessment results is documented in the security assessment plan or privacy assessment plan and the final security assessment report or privacy assessment report, and is consistent with federal legislation, policies, directives, standards, and guidelines.

The following items are considered in validating previous assessment results for reuse:  

Changing conditions associated with security controls and privacy controls over time.

Security and privacy controls that were deemed effective during previous assessments may have become ineffective due to changing conditions within the information system or its environment of operation, including emergent threat information. Assessment results that were found to be previously acceptable may no longer provide credible evidence for the determination of security or privacy control effectiveness, and therefore, a reassessment would be required. Applying previous assessment results to a current assessment necessitates the identification of any changes that have occurred since the previous assessment and the impact of these changes on the previous results. For example, reusing previous assessment results from examining an organization’s security or privacy policies and procedures may be acceptable if it is determined that there have not been any significant changes to the identified policies and procedures. Reusing assessment results produced during the previous authorization of an information system is a cost-effective method for supporting continuous monitoring activities and annual FISMA reporting requirements when the related controls have not changed, and there are adequate reasons for confidence in their continued application.

Amount of time that has transpired since previous assessments.

In general, as the time period between current and previous assessments increases, the credibility and utility of the previous assessment results decrease. This is primarily due to the fact that the information system or the environment in which the information system operates is more likely to change with the passage of time, possibly invalidating the original conditions or assumptions on which the previous assessment was based.

Degree of independence of previous assessments.

Assessor independence can be a critical factor in certain types of assessments. The degree of independence required from assessment to assessment should be consistent. For example, it is not appropriate to reuse results from a previous self-assessment where no assessor independence was required, in a current assessment requiring a greater degree of independence.

External information system-related considerations—

The assessment procedures in Appendices F and J need to be adjusted, as appropriate, to accommodate the assessment of external information systems.34 Because the organization does not always have direct control over the security or privacy controls used in external information systems, or sufficient visibility into the development, implementation, and assessment of those controls, alternative assessment approaches may need to be applied, resulting in the need to tailor the assessment procedures described in Appendices F and J. Where required assurances of agreed-upon security or privacy controls within an information system or inherited by the system are documented in contracts or service-level agreements, assessors review these contracts or agreements, and where appropriate, tailor the assessment procedures to assess either the security or privacy controls or the security control assessment or privacy control assessment results provided through these agreements. In addition, assessors take into account any other assessments that have been conducted or are in the process of being conducted, for external information systems that are relied upon with regard to protecting the information system under assessment. Applicable information from these assessments, if deemed reliable, is incorporated into the security assessment report or privacy assessment report, as appropriate.