Guidance for NIST 800-171 Assessment & Compliance
Each determination statement executed by an assessor results in one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). Consider the following example for security control CP-2(3). The assessor executes the assessment procedure for CP-2(3) and produces the following findings:
CP-3 |
CONTINGENCY TRAINING |
||
|
assessment objective: Determine if the organization provides contingency training to information system users consistent with assigned roles and responsibilities: |
||
cp-3(a) |
cp-3(a)[1] |
within the organization-defined time period of assuming a contingency role or responsibility; (S) |
|
cp-3(a)[2] |
defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility; (S) |
||
cp-3(b) |
when required by information system changes; (O) |
||
cp-3(c) |
cp-3(c)[1] |
thereafter, in accordance with the organization-defined frequency; (S) |
|
cp-3(c)[2] |
defines the frequency for contingency training. (S) |
||
Comments and Recommendations: CP-3(b) is marked as other than satisfied because assessors could not find evidence that the organization provided contingency training to information system users consistent with their assigned roles and responsibilities when there were significant changes to the system. |
|||
During an actual security and privacy control assessment, the assessment findings, comments, and recommendations are documented on appropriate organization-defined reporting forms. Organizations are encouraged to develop standard templates for reporting that contain the key elements for assessment reporting described above. Whenever possible, automation is used to make assessment data collection and reporting cost-effective, timely, and efficient.
