answerGuide for Assessing the Security Controls in Federal Information Systems. The purpose of this publication is to provide guidelines for building effective security assessment plans and a comprehensive set of procedures for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government. The guidelines apply to the security controls defined in NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems, and any additional security controls developed by the organization. The guidelines have been developed to help achieve more secure information systems within the federal government by:
• Enabling more consistent, comparable, and repeatable assessments of security controls;
• Facilitating more cost-effective assessments of security controls contributing to the determination of overall control effectiveness;
• Promoting a better understanding of the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems; and
• Creating more complete, reliable, and trustworthy information for organizational officials—to support security accreditation decisions, information sharing, and FISMA compliance.
The guidelines provided in this special publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of the Director of National Intelligence (DNI), the Secretary of Defense (SECDEF), the Chairman of the Committee on National Security Systems (CNSS), or their designees. State, local, and tribal governments, as well as private sector organizations that compose the critical infrastructure of the United States, are also encouraged to consider the use of these guidelines, as appropriate.
Organizations should use as a minimum, NIST Special Publication 800-53A in conjunction with an approved security plan in developing a viable security assessment plan for producing and compiling the information necessary to determine the effectiveness of the security controls employed in the information system. This publication has been developed with the intention of enabling organizations to tailor and supplement the basic assessment procedures provided. The assessment procedures should be used as a starting point for and as input to the security assessment plan. In developing effective security assessment plans, organizations should take into consideration existing information about the security controls to be assessed (e.g., results from organizational assessments of risk, platform-specific dependencies in the hardware, software, or firmware,10 and any assessment procedures needed as a result of organization-specific controls not included in NIST Special Publication 800-53).
The selection of appropriate assessment procedures for a particular information system depends on three factors:
• The security categorization of the information system in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories;
• The security controls identified in the approved security plan, including those from NIST Special Publication 800-53 (as amended) and any organization-specific controls;11 and
• The level of assurance that the organization must have in determining the effectiveness of the security controls in the information system.
The extent of security control assessments should always be risk-driven. Organizations should determine the most cost-effective implementation of this key element in the organization's information security program by applying the results of risk assessments, considering the maturity and quality level of the organization's risk management processes, and taking advantage of the flexibility in NIST Special Publication 800-53A. The use of Special Publication 800-53A as a starting point in the process of defining procedures for assessing the security controls in information systems, promotes a more consistent level of security within the organization and offers the needed flexibility to customize the assessment based on organizational policies and requirements, known threat and vulnerability information, operational considerations, information system and platform dependencies, and tolerance for risk.12 Ultimately, organizations should view assessment as an information gathering activity, not a security producing activity. The information produced during security control assessments can be used by an organization to:
• Identify potential problems or shortfalls in the organization's implementation of the NIST Risk Management Framework;
• Identify information system weaknesses and deficiencies;
• Prioritize risk mitigation decisions and associated risk mitigation activities;
• Confirm that identified weaknesses and deficiencies in the information system have been addressed;
• Support information system authorization (i.e., security accreditation) decisions; and
• Support budgetary decisions and the capital investment process.
Organizations are not expected to employ all of the assessment methods and assessment objects contained within the assessment procedures identified in this document. Rather, organizations have the flexibility to determine the security control assessment level of effort and resources expended (e.g., which assessment methods and objects are employed in the assessment). This determination is made on the basis of what will most cost-effectively accomplish the assessment objectives defined in this publication with sufficient confidence to support the subsequent determination of the resulting mission or business risk.