Doc:NIST SP 800-53Ar1 FPD Chapter 2
BASIC CONCEPTS ASSOCIATED WITH SECURITY CONTROL ASSESSMENTS
This chapter describes the basic concepts associated with assessing the security controls in organizational information systems including: (i) the integration of assessments into the system development life cycle; (ii) the importance of an organization-wide strategy for conducting security control assessments; (iii) the development of effective assurance cases to help increase the grounds for confidence in the effectiveness of the security controls; and (iv) the format and content of assessment procedures.
2.1 ASSESSMENTS WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE
Security assessments can be effectively carried out at various stages in the system development life cycle to increase the grounds for confidence that the security controls employed within or inherited by an information system are effective in their application. This publication provides a comprehensive set of assessment procedures to support security assessment activities throughout the system development life cycle. For example, security assessments are routinely conducted by information system developers and system integrators during the development/acquisition phase of the life cycle to help ensure that the required security controls for the system are properly designed/developed, correctly implemented, and consistent with the established organizational information security architecture. Assessment activities in the initial system development life cycle phases include, for example, design and code reviews, application scanning, and regression testing. Security weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and in a much more cost-effective manner before proceeding to subsequent phases in the life cycle. The objective is to identify the information security architecture and security controls up front and to ensure that the system design and testing validate the implementation of these controls. The assessment procedures described in Appendix F can support these types of assessments carried out during the initial stages of the system development life cycle.
Security assessments are also routinely conducted by information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General during the operations and maintenance phase of the life cycle to ensure that security controls are effective and continue to be effective in the operational environment where the system is deployed. For example, organizations assess all security controls employed within and inherited by the information system during the initial security authorization. Subsequent to the initial authorization, the organization assesses the security controls (including management, operational, and technical controls) on an ongoing basis. The selection of the appropriate security controls to monitor and the frequency of such monitoring are based on the monitoring strategy developed by the information system owner or common control provider and approved by the authorizing official and senior information security officer. Finally, at the end of the life cycle, security assessments are conducted as part of ensuring that important organizational information is purged from the information system prior to disposal.
2.2 STRATEGY FOR CONDUCTING SECURITY CONTROL ASSESSMENTS
Organizations are encouraged to develop a broad-based, organization-wide strategy for conducting security assessments, facilitating more cost-effective and consistent assessments across the inventory of information systems. An organization-wide strategy begins by applying the initial steps of the Risk Management Framework to all information systems within the organization, with an organizational view of the security categorization process and the security control selection process (including the identification of common controls). Categorizing information systems as an organization-wide activity taking into consideration the enterprise architecture and the information security architecture helps to ensure that the individual systems are categorized based on the mission and business objectives of the organization. Maximizing the number of common controls employed within an organization: (i) significantly reduces the cost of development, implementation, and assessment of security controls; (ii) allows organizations to centralize security control assessments and to amortize the cost of those assessments across all information systems organization-wide; and (iii) increases overall security control consistency. An organization-wide approach to identifying common controls early in the application of the RMF facilitates a more global strategy for assessing those controls and sharing essential assessment results with information system owners and authorizing officials. The sharing of assessment results among key organizational officials across information system boundaries has many important benefits including:
- Providing the capability to review assessment results for all information systems and to make organization-wide, mission/business-related decisions on risk mitigation activities according to organizational priorities, the security categorization of the information systems supporting the organization, and risk assessments;
- Providing a more global view of systemic weaknesses and deficiencies occurring in information systems across the organization;
- Providing an opportunity to develop organization-wide solutions to information security problems; and
- Increasing the organization's knowledge base regarding threats, vulnerabilities, and strategies for more cost-effective solutions to common information security problems.
Figure 1 illustrates the relationship among the independent information system assessments and the overall determination and acceptance of mission/business risk by the organization.
Organizations can also promote a more focused and cost-effective assessment process by: (i) developing more specific assessment procedures that are tailored for their specific organizational environments of operation and requirements (instead of relegating these tasks to each security control assessor or assessment team); and (ii) providing organization-wide tools, templates, and techniques to support more consistent assessments throughout the organization.
While the conduct of security control assessments is the primary responsibility of information system owners and common control providers with oversight by their respective authorizing officials, there is also significant involvement in the assessment process by other parties within the organization who have a vested interest in the outcome of assessments. Other interested parties include, for example, mission/business owners, information owners/stewards (when those roles are filled by someone other than the information system owner), information security officials, and the risk executive (function). It is imperative that information system owners and common control providers coordinate with the other parties in the organization having an interest in security control assessments to help ensure that the organization's core missions and business functions are adequately addressed in the selection of security controls to be assessed.
2.3 BUILDING AN EFFECTIVE ASSURANCE CASE
Building an effective assurance case for security control effectiveness is a process that involves: (i) compiling evidence that the controls employed in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system; and (ii) presenting this evidence in a manner that decision makers are able to use effectively in making risk-based decisions about the operation or use of the system. The evidence described above comes from the implementation of the security controls in the information system and inherited by the system (i.e., common controls) and from the assessments of that implementation. Ideally, the assessor is building on previously developed materials that started with the specification of the organization's information security needs and was further developed during the design, development, and implementation of the information system. These materials, developed while implementing security throughout the life cycle of the information system, provide the initial evidence for an assurance case.
Assessors obtain the required evidence during the assessment process to allow the appropriate organizational officials to make objective determinations about the effectiveness of the security controls and the overall security state of the information system. The assessment evidence needed to make such determinations can be obtained from a variety of sources including, but not limited to, information technology product and system assessments. Product assessments (also known as product testing, evaluation, and validation) are typically conducted by independent, third-party testing organizations. These assessments examine the security functions of products and established configuration settings. Assessments can be conducted against industry, national, or international information security standards as well as developer/vendor claims. Since many information technology products are assessed by commercial testing organizations and then subsequently deployed in millions of information systems, these types of assessments can be carried out at a greater level of depth and provide deeper insights into the security capabilities of the particular products.
System assessments are typically conducted by information systems developers, systems integrators, information system owners, common control providers, assessors, auditors, Inspectors General, and the information security staffs of organizations. The assessors or assessment teams bring together available information about the information system such as the results from individual component product assessments, if available, and conduct additional system-level assessments using a variety of methods and techniques. System assessments are used to compile and evaluate the evidence needed by organizational officials to determine how effective the security controls employed in the information system are likely to be in mitigating risks to organizational operations and assets, to individuals, to other organizations, and to the Nation. The results from assessments conducted using information system-specific and organization-specific assessment procedures derived from the guidelines in this publication contribute to compiling the necessary evidence to determine security control effectiveness in accordance with the assurance requirements documented in the security plan.
2.4 ASSESSMENT PROCEDURES
An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. An assessment objective includes a set of determination statements related to the security control under assessment. The determination statements are linked to the content of the security control (i.e., the security control functionality) to ensure traceability of assessment results back to the fundamental control requirements. The application of an assessment procedure to a security control produces assessment findings. These assessment findings reflect, or are subsequently used, to help determine the overall effectiveness of the security control.
Assessment objects identify the specific items being assessed and include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, and architectural designs) associated with an information system. Mechanisms are the specific hardware, software, or firmware safeguards and countermeasures employed within an information system. Activities are the specific protection-related pursuits or actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic, exercising a contingency plan). Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.
Assessment methods define the nature of the assessor actions and include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence. The interview method is the process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. In all three assessment methods, the results are used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure. A complete description of assessment methods and assessment objects is provided in Appendix D.
The assessment methods have a set of associated attributes, depth and coverage, which help define the level of effort for the assessment. These attributes are hierarchical in nature, providing the means to define the rigor and scope of the assessment for the increased assurances that may be needed for some information systems. The depth attribute addresses the rigor of and level of detail in the examination, interview, and testing processes. Values for the depth attribute include basic, focused, and comprehensive. The coverage attribute addresses the scope or breadth of the examination, interview, and testing processes including the number and type of specifications, mechanisms, and activities to be examined or tested and the number and types of individuals to be interviewed. Similar to the depth attribute, values for the coverage attribute include basic, focused, and comprehensive. The appropriate depth and coverage attribute values for a particular assessment method are based on the assurance requirements defined in Special Publication 800-53. Thus, as assurance requirements increase with regard to the development, implementation, and operation of security controls within or inherited by the information system, the rigor and scope of the assessment activities (as reflected in the selection of assessment methods and objects and the assignment of depth and coverage attribute values), tend to increase as well. Appendix D provides a detailed description of assessment method attributes and attribute values.
AN EXAMPLE ASSESSMENT PROCEDURE
Security control CP-2 is defined in Special Publication 800-53 as follows:
|Control|| The organization:
|CP-2.1|| ASSESSMENT OBJECTIVE:
In a similar manner, the second assessment objective and potential assessment methods and objects for CP-2 are established.
|CP-2.2|| ASSESSMENT OBJECTIVE:
The assessment objectives within a particular assessment procedure are numbered sequentially (e.g., CP-2.1,…, CP-2.n). If the security control has any enhancements, assessment objectives are developed for each enhancement using the same process as for the base control. The resulting assessment objectives within the assessment procedure are numbered sequentially (e.g., CP-2(1).1 indicating the first assessment objective for the first enhancement for security control CP-2).
- 20 There are typically five phases in a generic system development life cycle: (i) initiation; (ii) acquisition/development; (iii) implementation; (iv) operations and maintenance; and (v) disposition (disposal).
- 21 Special Publication 800-37 provides guidance on the continuous monitoring of security controls.
- 22 An assurance case is a body of evidence organized into an argument demonstrating that some claim about an information system holds (i.e., is assured). An assurance case is needed when it is important to show that a system exhibits some complex property such as safety, security, or reliability. Additional information can be obtained at https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/assurance/643.html.
- 23 Mechanisms also include physical protection devices associated with an information system (e.g., locks, keypads, security cameras, fire protection devices, fireproof safes, etc.).