☑TIP #1:  Select only those assessment procedures from Appendix F that correspond to the security controls and control enhancements in the approved security plan and that are to be included in the assessment.

☑TIP #2:  The assessment procedures selected from Appendix F are simply example procedures that serve as a starting point for organizations preparing for assessments. These assessment procedures are tailored as necessary, in accordance with the guidance in Section 3.2 to adapt the procedures to specific organizational requirements and operating environments.  

☑TIP #3:  With respect to the assessment procedures in Appendix F, assessors need apply only those procedures, methods, and objects necessary for making a final determination that a particular security control objective is satisfied or not satisfied (see Section 3.3).

☑TIP #4:  Assessors apply to each assessment method, values for depth and coverage (described in Appendix D) that are commensurate with the characteristics of the information system (including assurance requirements) and the specific assessment activity that supports making a determination of the effectiveness of the security controls under review. The values selected for the depth and coverage attributes indicate the relative effort required in applying an assessment method to an assessment object (i.e., the rigor and scope of the activities associated with the assessment). The depth and coverage attributes, while not repeated in every assessment procedure in this appendix, can be represented as follows:

☑Interview: [assign attribute values: <depth>, <coverage>].

☑[select from: Organizational personnel with contingency planning and plan implementation responsibilities].

☑TIP #5:  Assessors may find useful assessment-related information in the Supplemental Guidance section of each security control described in Special Publication 800-53. This information can be used to carry out more effective assessments with regard to the application of assessment procedures.

☑Note:  When assessing agency compliance with NIST guidance, auditors, Inspectors General, evaluators, and/or assessors consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions.

Cautionary Note

Whereas a set of potential assessment methods have been included in the following catalog of assessment procedures, these are not intended to be mandatory or exclusive. Depending on the particular circumstances of the information system or organization to be assessed, not all methods may be required or other assessment methods may also be used. In addition, the set of potential assessment objects listed in the catalog are not intended to be mandatory, but rather a set from which the necessary and sufficient set of objects for a given assessment can be selected to make the appropriate determinations.