Security Controls Assessment

The security controls implemented and documented in the previous steps are essen-tial components for conducting an effective assessment.⁸⁶ The security controls assessment step in the NIST RMF (Step 4) involves the preparation, execution, and reporting of the security controls effectiveness in the information system. This sec-tion will summarize the assessment-related tasks in Table 5.8. The assessment tasks are dependent on the close collaboration and cooperation of the security assessor⁸⁷ and the organization to ensure there is an appropriate level of depth⁸⁸ and coverage⁸⁹

85From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “Developmental testing and evaluation activities include, for example, design and code reviews, application scanning, and regression testing.”

86From Joint Task Force Transformation Initiative, NIST Special Publication (SP) 800-53A Revision 1, Guide for Assessing the Security Controls for Federal Information System and Organizations. Mary-land: National Institute of Standards and Technology; 2010. “Partial assessments of security controls can be conducted in the initial phases of system development life cycle to promote early detection of weakness and deficiencies and a more cost-effective approach to risk mitigation.”

87From Joint Task Force Transformation Initiative, NIST Special Publication (SP) 800-53A Revision 1, Guide for Assessing the Security Controls for Federal Information System and Organizations. Mary-land: National Institute of Standards and Technology; 2010. “The individual, group, or organization responsible for conducting a security control assessment.”

88From Joint Task Force Transformation Initiative, NIST Special Publication (SP) 800-53A Revision 1, Guide for Assessing the Security Controls for Federal Information System and Organizations. Mary-land: National Institute of Standards and Technology; 2010. “An attribute associated with an assess-ment method that addresses the rigor and level of detail associated with the application of the method.”

89From Joint Task Force Transformation Initiative, NIST Special Publication (SP) 800-53A Revision 1, Guide for Assessing the Security Controls for Federal Information System and Organizations. Mary-land: National Institute of Standards and Technology; 2010. “An attribute associated with an assess-ment method that addresses the scope or breadth of the assessassess-ment objects included in the assessassess-ment (e.g. types of objects to be assessed and the number of objects to be assessed by type).”

144 CHAPTER 5 Applying the NIST Risk Management Framework

applied when evaluating the security controls effective against the organization’s identified assurance requirements.⁹⁰

Assessment Preparation

Prior to beginning the assessment activities, expectations should be appropriately set through the development of a security assessment plan. Preparatory activities should be planned together, by the organization undergoing the assessment and the pro-vider conducting the assessment, to limit any unexpected issues and to gain a clear understanding of the level of effort required. Figure 5.12 provides an example list of preparatory activities that guide the completion of the assessment plan. In addition, the organization should also provide the security assessor with the following types of information:

• Organizational chart (or description of organizational personnel responsible for security policies and procedures);

90From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “Assurance requirements address the quality of the design, development, and implementation of the security functions in the information system.”

Table 5.8 NIST RMF Step 4 Activities [3]

Task Name Activities References

4-1 Assessment

preparation • Develop, review, and approve a plan to assess the security controls

• NIST SP 800-53A

4-2 Security control assessment

• Assess the security controls in accordance with the assessment procedures defined in the security assessment plan

• Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment

• NIST SP 800-53A

4-4 Remediation

actions • Conduct the initial remediation actions on security controls based on the findings and recommendations of the security assessment report

• Reassess remediated control(s), as appropriate

• NIST SP 800-30

• NIST SP 800-53A

145 NIST RMF Process

• Policies and procedures that relate to the information system;

• Organizational chart (or description of organizational personnel responsible for security control implementation); and

• Artifacts, where available, that provide an understanding of security controls such as the security plan, risk assessment, continuous monitoring plan, plan FIGURE 5.12 Security Controls Assessment Process [17]

146 CHAPTER 5 Applying the NIST Risk Management Framework

of action and milestones (POA&Ms), accreditation decision letter (if already under an existing accreditation), privacy impact assessment (PIA), contingency plan, configuration management plan, security configuration checklists, and/or system interconnection agreements (ISA, MOU, contracts, etc.).

Security Assessment Plan

Planning activities are critical for the success of the security assessment. The security assessment plan (SAP), ⁹¹ developed by the security assessor, should be reviewed and approved by the organization based on an agreement of what is in scope for the assessment. Similar to Step 2, where the organization selects, tailors, and supple-ments security controls to be implemented, the security assessor should also perform similar activities by selecting, tailoring, and supplementing assessment procedures that address specific assurance requirements by the organization.

91From Joint Task Force Transformation Initiative, NIST Special Publication (SP) 800-53A Revision 1, Guide for Assessing the Security Controls for Federal Information System and Organizations. Mary-land: National Institute of Standards and Technology; 2010. “The security assessment plan provides the objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment.”

TIP

Select, Tailor, Customize, Optimize

As a guide, and to improve the effectiveness in executing assessments, an assessor should seek to find ways to save time and money when conducting assessments through the following steps [17]:

• Select assessment methods⁹² and objects that match the assurance requirements.

• Select the appropriate depth and coverage attributes.⁹³

• Identify common controls to reduce redundancy and duplication of effort.

• Customize security-specific assessment procedures to closely match the operating environment (and utilizing supplemental guidance in the NIST Security Controls Catalog to establish an intent of the security control).

• Identify assessment results that are applicable for reuse (previous assessments) or through more efficiency in sequencing the current assessment.

• Adjust assessment procedures to accommodate external service providers based on contracts or service level agreements.

• Develop assessment procedures⁹⁴ for custom security controls.

• Identify areas where assessment procedures can be combined and consolidated to maximize cost savings without compromising quality.

92Examine, interview, and test.

93Basic, focused, and comprehensive.

94In situations where security controls not included in Security Control Catalog (NIST Special Publica-tion (SP) 800-53, Appendix F) were included in the security control baseline, the assessor may have to develop custom security assessment procedures. In these situations, NIST Special Publication (SP) 800-53A can be used as a guide.

147 NIST RMF Process

Assessing Security Controls

Conducting security assessments,⁹⁵ which will be discussed in more detail in later chapters, is described briefly in this section. The security assessment execution is primarily organized and executed by the security assessor, with the organization’s support. Therefore, the key focus will be on making the assurance case.⁹⁶

When conducting the security assessment, the security assessor needs to obtain evidence⁹⁷ to facilitate the security assessor in making an objective determination of security control effectiveness, based on the criteria (i.e., expect input, behavior, and outcome) identified in the assessment procedures. Since the key focus will be on making the assurance case, the evidence should come directly from the information system or operating environment, or from a third-party evaluation of the product or technology such as a common criteria evaluation.⁹⁸ In addition, automated tools and techniques could be used to improve the quality of the security assessment through an increase in the sampling size and coverage.

Reporting Assessment Results

Reporting on the security control assessment results, including any issues, weak-nesses and deficiencies, and recommendations, is performed through the security assessment report (SAR).⁹⁹ The SAR works together with the security plan (includ-ing risk assessment) and POA&Ms to provide an overall picture of the security state and risk posture for the information system. The specific reporting format for secu-rity assessment results is organizationally dependent, but should provide enough detail to enable the authorizing official to establish a credible, risk-based decision. In addition to findings, the SAR also includes key recommendations for addressing the findings.¹⁰⁰ Evidence produced during the security assessment should be retained by

95From Joint Task Force Transformation Initiative, NIST Special Publication (SP) 800-53A Revision 1, Guide for Assessing the Security Controls for Federal Information System and Organizations. Mary-land: National Institute of Standards and Technology; 2010. “Security control assessments determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system.”

96From US Department of Homeland Security, National Cyber Security Division (NCSD), Strategic Initiatives Branch [Internet]. Washington: US Department of Homeland Security [cited 2011 Dec 17].

Available from: https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/assurance/643-BSI.html.

“An assurance case is a body of evidence organized into an argument demonstrating that some claim about a system holds, i.e. is assured.”

97Supporting information about the claims of security controls implemented within information system.

98For more information on the Common Criteria Evaluation and Validation Scheme (CCEVS), see http://www.niap-ccevs.org/.

99The security assessment report is one component of the security authorization package that is used by the authorizing official to make an authorization decision.

100Depending on when the security assessment was performed in the SDLC (e.g., development/test), initial reports of findings of a “delta” could be resolved during the information system development.

148 CHAPTER 5 Applying the NIST Risk Management Framework

the organization for reuse in future security assessment-related activities either through manual or automated consumption.¹⁰¹