After the security assessment plan or privacy assessment plan is approved by the organization, the assessor(s) or assessment team executes the plan in accordance with the agreed-upon schedule. Determining the size and organizational makeup of the assessment team (i.e., skill sets, technical expertise, and assessment experience of the individuals composing the team) is part of the risk management decisions made by the organization requesting and initiating the assessment. The results of security control assessments and privacy control assessments are documented in security assessment reports and privacy assessment reports, respectively, which are key inputs to the authorization package developed by information system owners and common control providers for authorizing officials.36 Security assessment reports and privacy assessment reports include information from assessors (in the form of assessment findings) necessary to determine the effectiveness of the security or privacy controls employed within or inherited by the information system. These assessment reports are an important factor in an authorizing official’s determination of risk. Organizations may choose to develop an assessment summary from the detailed findings that are generated by assessors during the security control assessments and privacy control assessments. An assessment summary can provide an authorizing official with an abbreviated version of an assessment report focusing on the highlights of the assessment, synopsis of key findings, and recommendations for addressing weaknesses and deficiencies in the security or privacy controls assessed. Appendix G provides information on the recommended content of assessment reports.

Assessment objectives are achieved by applying the designated assessment methods to selected assessment objects and compiling/producing the evidence necessary to make the determination associated with each assessment objective. Each determination statement contained within an assessment procedure executed by an assessor produces one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). A finding of satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control has been met producing a fully acceptable result. A finding of other than satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained indicates potential anomalies in the operation or implementation of the control that may need to be addressed by the organization. A finding of other than satisfied may also indicate that for reasons specified in the assessment report, the assessor was unable to obtain sufficient information to make the particular determination called for in the determination statement. For assessment findings that are other than satisfied, organizations may choose to define subcategories of findings indicating the severity and/or criticality of the weaknesses or deficiencies discovered and the potential adverse effects on organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Defining such subcategories can help to establish priorities for needed risk mitigation actions.

Assessor findings are an unbiased, factual reporting of what was found concerning the security or privacy control assessed. For each finding of other than satisfied, assessors indicate which parts of the security or privacy control are affected by the finding (i.e., aspects of the control that were deemed not satisfied or were not able to be assessed) and describe how the control differs from the planned or expected state. The potential for compromises to confidentiality, integrity, and availability due to other than satisfied findings are also noted by the assessor in the security or privacy assessment report. This notation reflects the lack of a specified protection and the exploitation that could occur as a result (i.e., workstation, dataset, root level access). Risk determination and acceptance activities are conducted by the organization post-assessment as part of the risk management strategy established by the organization. These risk management activities involve the senior leadership of the organization including, for example, heads of agencies, mission/business owners, information owners/stewards, risk executive (function), and authorizing officials, in consultation with appropriate organizational support staff (e.g., senior information security officers, senior agency officials for privacy/chief privacy officers, chief information officers, information system owners, common control providers, and assessors). Security control assessment and privacy control assessment results are documented at the level of detail appropriate for the assessment in accordance with the reporting format prescribed by organizational policy, NIST guidelines, and OMB policy. The reporting format is appropriate for the type of assessment conducted (e.g., self-assessments by information system owners and common control providers, independent verification and validation, independent assessments supporting the authorization process, automated assessments, or independent audits or inspections).

Information system owners and common control providers rely on the expertise and the technical judgment of assessors to: (i) assess the security and privacy controls in the information system and inherited by the system; and (ii) provide recommendations on how to correct weaknesses or deficiencies in the controls and reduce or eliminate identified vulnerabilities.

The assessment results produced by the assessor (i.e., findings of satisfied or other than satisfied, identification of the parts of the security or privacy control that did not produce a satisfactory result, and a description of resulting potential for compromises to the information system or its environment of operation) are provided to information system owners and common control providers in the initial security assessment reports and privacy assessment reports. System owners and common control providers may choose to act on selected recommendations of the assessor before the assessment reports are finalized if there are specific opportunities to correct weaknesses or deficiencies in the security or privacy controls or to correct and/or clarify misunderstandings or interpretations of assessment results.37 Security or privacy controls that are modified, enhanced, or added during this process are reassessed by the assessor prior to the production of the final assessment reports.