The objective of the security control assessment task is threefold:
1. Prepare for the assessment of the security controls in the information system.
2. Conduct the assessment of the security controls.
3. Document the results of the assessment.
This task greatly involves the Certification Agent (CA). By the end of the Security Control Assessment the CA will be able to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system.
The output of this task will also enable the CA to make recommendations on corrective actions for security control deficiencies. The CA can then offer advice to the information system owner and authorizing official on how the known vulnerabilities in the system translate into actual risk.
Prepare for the Assessment
Preparation for the security assessment involves:
· Gathering the appropriate planning and supporting materials
· Collecting all available system requirements and design documentation
· Gathering the security control implementation evidence
· Compiling the results from previous security assessments, security reviews, or audits
Gather the Documentation
The information system owner should assist the certification agent in gathering all relevant documents and supporting materials from the agency that will be required during the assessment of the security controls. The IS owner and the CA should assemble any documentation and supporting materials necessary for the assessment of the security controls in the information system; if these documents include previous assessments of security controls, the IS owner and the CA should review the findings, results, and evidence.
Certification agents should maximize the use of previous assessment results in determining the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The certification agent may incorporate those results into the security certification.
Useful materials can include:
· Supporting materials such as procedures, reports, logs, and records showing evidence of security control implementation
· Previous evaluation results and/or information system audits, security certifications, security reviews or self-assessments
· Previous assessment results from programs that test and evaluate the security features of commercial information technology products or prior security test and evaluation reports
· Prior assessment results from the system developer
· Privacy impact assessments
· Other documents and supporting materials included or referenced in the system security plan, such as NIST Special Publication 800-53A, ISO/IEC 15408 (Common Criteria) validations, and FIPS 140-2 validations
Define the Assessment Methods and Procedures
Preparation also involves developing specific methods and procedures to assess the security controls in the information system. The certification agent must select, or develop when needed, appropriate methods and procedures to assess the management, operational, and technical security controls in the information system. The assessment methods and procedures may need to be tailored for specific system implementations; therefore, the CA can supplement these methods and procedures.
Conduct the Security Assessment
The CA then must assess the management, operational, and technical security controls in the information system using methods and procedures selected or developed. Security assessment determines the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of the security assessment, including recommendations for correcting any deficiencies in the security controls, are documented in the security assessment report.
Prepare the Security Assessment Report
After the assessment, the Certification Agent prepares the final security assessment report. The security assessment report is part of the final accreditation package along with the updated system security plan, plan of action, and milestones. The security assessment report is the certification agent’s statement regarding the security status of the information system.
The security assessment report contains:
1. The results of the security assessment
2. Recommendations for correcting deficiencies in the security controls and reducing or eliminating identified vulnerabilities.
PEOPLE FIND THIS PAGE BY THIS WORDS:
security control and assessment; information technology security assessment report;
