NIST SP 800-53A Chapter 1
THE NEED TO ASSESS SECURITY CONTROL EFFECTIVENESS IN INFORMATION SYSTEMS
Today's information systems8  are incredibly complex assemblages of technology (including hardware, software, and firmware), processes, and people, all working together to provide organizations with the capability to process, store, and transmit information on a timely basis to support various organizational missions and business functions. The degree to which organizations have come to depend upon these information systems to conduct routine and critical missions and business functions means that the protection of the underlying systems is paramount to the success of the organization. The selection of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization as well as the welfare of individuals.9  Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity (including non-repudiation and authenticity), and availability of the system and its information. Once employed within an information system, security controls are assessed to provide the information necessary to determine their overall effectiveness; that is, the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization's operations and assets, to individuals, to other organizations, and to the Nation resulting from the use of the system.
1.1 PURPOSE AND APPLICABILITY
The purpose of this publication is to provide guidelines for building effective security assessment plans and a comprehensive set of procedures for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government. The guidelines apply to the security controls defined in NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems, and any additional security controls developed by the organization. The guidelines have been developed to help achieve more secure information systems within the federal government by:
- Enabling more consistent, comparable, and repeatable assessments of security controls;
- Facilitating more cost-effective assessments of security controls contributing to the determination of overall control effectiveness;
- Promoting a better understanding of the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems; and
- Creating more complete, reliable, and trustworthy information for organizational officials—to support security accreditation decisions, information sharing, and FISMA compliance.
The guidelines provided in this special publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of the Director of National Intelligence (DNI), the Secretary of Defense (SECDEF), the Chairman of the Committee on National Security Systems (CNSS), or their designees. State, local, and tribal governments, as well as private sector organizations that compose the critical infrastructure of the United States, are also encouraged to consider the use of these guidelines, as appropriate.
Organizations should use as a minimum, NIST Special Publication 800-53A in conjunction with an approved security plan in developing a viable security assessment plan for producing and compiling the information necessary to determine the effectiveness of the security controls employed in the information system. This publication has been developed with the intention of enabling organizations to tailor and supplement the basic assessment procedures provided. The assessment procedures should be used as a starting point for and as input to the security assessment plan. In developing effective security assessment plans, organizations should take into consideration existing information about the security controls to be assessed (e.g., results from organizational assessments of risk, platform-specific dependencies in the hardware, software, or firmware,10  and any assessment procedures needed as a result of organization- specific controls not included in NIST Special Publication 800-53).
The selection of appropriate assessment procedures for a particular information system depends on three factors:
- The security categorization of the information system in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories;
- The security controls identified in the approved security plan, including those from NIST Special Publication 800-53 (as amended) and any organization-specific controls;11  and
- The level of assurance that the organization must have in determining the effectiveness of the security controls in the information system.
The extent of security control assessments should always be risk-driven. Organizations should determine the most cost-effective implementation of this key element in the organization's information security program by applying the results of risk assessments, considering the maturity and quality level of the organization's risk management processes, and taking advantage of the flexibility in NIST Special Publication 800-53A. The use of Special Publication 800-53A as a starting point in the process of defining procedures for assessing the security controls in information systems, promotes a more consistent level of security within the organization and offers the needed flexibility to customize the assessment based on organizational policies and requirements, known threat and vulnerability information, operational considerations, information system and platform dependencies, and tolerance for risk.12  Ultimately, organizations should view assessment as an information gathering activity, not a security producing activity. The information produced during security control assessments can be used by an organization to:
- Identify potential problems or shortfalls in the organization's implementation of the NIST Risk Management Framework;
- Identify information system weaknesses and deficiencies;
- Prioritize risk mitigation decisions and associated risk mitigation activities;
- Confirm that identified weaknesses and deficiencies in the information system have been addressed;
- Support information system authorization (i.e., security accreditation) decisions; and
- Support budgetary decisions and the capital investment process.
Organizations are not expected to employ all of the assessment methods and assessment objects contained within the assessment procedures identified in this document. Rather, organizations have the flexibility to determine the security control assessment level of effort and resources expended (e.g., which assessment methods and objects are employed in the assessment). This determination is made on the basis of what will most cost-effectively accomplish the assessment objectives defined in this publication with sufficient confidence to support the subsequent determination of the resulting mission or business risk.
1.2 TARGET AUDIENCE
This publication is intended to serve a diverse group of information system and information security professionals including:
- Individuals with information system and security control assessment and monitoring responsibilities (e.g., system evaluators, assessors/assessment teams, certification agents/certification teams, independent verification and validation assessors, auditors, inspectors general, information system owners);
- Individuals with information system and security management and oversight responsibilities (e.g., authorizing officials, senior agency information security officers, information security managers);
- Individuals with information security implementation and operational responsibilities (e.g., information system owners, mission/information owners, and information system security officers); and
- Individuals with information system development and integration responsibilities (e.g., program managers, information technology product developers, information system developers, systems integrators).
1.3 RELATIONSHIP TO OTHER PUBLICATIONS
NIST Special Publication 800-53A13  has been designed to be used with NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. In particular, the assessment procedures contained in this publication and the guidelines provided for developing security assessment plans for organizational information systems directly support the security certification and continuous monitoring activities that are integral to the certification and accreditation process. Security certification, like any security control assessment, helps to determine if the security controls in the information system are effective in their application (i.e., implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system). As the information system moves into the continuous monitoring phase (subsequent to security accreditation), organizations can select a subset of the assessment procedures from the security assessment plan to assess a subset of the security controls on an ongoing basis. The procedures selected for the follow-on assessments are based on an organizational assessment of risk, the plan of action and milestones for the information system, and organizational security policies, any of which may indicate the need for greater emphasis on assessment of selected security controls.
Organizations are encouraged, whenever possible, to take advantage of the assessment results and associated assessment-related documentation and evidence available on information system components from previous assessments including independent third-party testing, evaluation, and validation.14  Product testing, evaluation, and validation may be conducted on cryptographic modules and general-purpose information technology products such as operating systems, database systems, firewalls, intrusion detection devices, web browsers, web applications, smart cards, biometrics devices, personal identity verification devices, network devices, and hardware platforms using national and international standards. If an information system component product is identified as providing support for the implementation of a particular security control in NIST Special Publication 800-53, then any available evidence produced during the product testing, evaluation, and validation processes (e.g., security specifications, analyses and test results, validation reports, and validation certificates)15  should be used to the extent that it is applicable. This evidence should be combined with the assessment-related evidence obtained from the application of the assessment procedures in this publication, to cost-effectively produce the information necessary to determine whether the security controls are effective or ineffective in their application.
1.4 ORGANIZATION OF THIS SPECIAL PUBLICATION
The remainder of this special publication is organized as follows:
- Chapter Two describes the fundamental concepts associated with security control assessments including: (i) the integration of assessments into the system development life cycle; (ii) the importance of an organization-wide strategy for conducting security control assessments; (iii) the development of effective assurance cases; (iv) the format and content of assessment procedures; and (v) the use of an extended assessment procedure to help increase the grounds for confidence in the effectiveness of the security controls being assessed.
- Chapter Three describes the process of assessing the security controls in organizational information systems including: (i) the activities carried out by organizations and assessors to prepare for security control assessments; (ii) the development of security assessment plans; (iii) the conduct of security control assessments and the analysis, documentation, and reporting of assessment results; and (iv) post-assessment report analysis and follow-on activities carried out by organizations.
- Supporting appendices provide detailed assessment-related information including: (i) general references; (ii) definitions and terms; (iii) acronyms; (iv) a description of assessment methods; (v) assessment expectations for low-impact, moderate-impact, and high-impact information systems; (vi) a master catalog of assessment procedures that can be used to develop plans for assessing security controls; (vii) penetration testing guidelines; (viii) an assessment procedure work sheet; (ix) a sample format for security assessment reports; and (x) the definition, format, and use of assessment cases.
- An information system is a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
- When selecting security controls for an information system, the organization also considers potential impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level impacts.
- For example, detailed test scripts may need to be developed for the specific operating system, network component, middleware, or application employed within the information system to adequately assess certain characteristics of a particular security control. Such test scripts are at a lower level of detail than provided by the assessment procedures contained in Appendix F (Assessment Procedures Catalog) and are therefore beyond the scope of this publication.
- The agreed-upon security controls for the information system are documented in the security plan after the initial selection of the controls as described in NIST Special Publication 800-53. The security plan is approved by appropriate organizational officials prior to the start of the security control assessment.
- In this publication, the term risk is used to mean risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.
- NIST Special Publication 800-53A is a companion publication to NIST Special Publication 800-53, not a replacement or update. Special Publication 800-53 remains the definitive NIST recommendation for employing security controls in federal information systems.
- Assessment results can be obtained from many activities that occur routinely during the System Development Life Cycle processes within organizations. For example, assessment results are produced during the testing and evaluation of new information system components during system upgrades or system integration activities. Organizations should take advantage of previous assessment results whenever possible, to reduce the overall cost of assessments and to make the assessment process more efficient.
- Organizations should review the component product's available information to determine: (i) what security controls are implemented by the product; (ii) if those security controls meet intended control requirements of the information system under assessment; (iii) if the configuration of the product and the environment in which the product operates are consistent with the environmental and product configuration as stated by the vendor/developer; and (iv) if the assurance requirements stated in the developer/vendor specification satisfy the assurance requirements for assessing those controls. Meeting the above criteria provides a sound rationale that the product is suitable and meets the intended security control requirements of the information system under assessment.