3. ASSESSOR SELECTION
• Task A-1: Select the appropriate assessor or assessment team for the type of control assessment
to be conducted.
• Potential Inputs: Security, privacy, and SCRM plans; program management control information; common control
documentation; organizational security and privacy program plans; SCRM strategy; system design documentation; enterprise,
security, and privacy architecture information; security, privacy, and SCRM policies and procedures applicable to the system.
• Expected Outputs: Selection of assessor or assessment team responsible for conducting the control assessment.
• Discussion
• Assessor Selection – CISO
• Audits
• Self-Assessment
• Control Effectiveness
4. ASSESSMENT PLAN
• Task A-2: Develop, review, and approve plans to assess implemented controls.
• Potential Inputs: Security, privacy, and SCRM plans; program management control information;
common control documentation; organizational security and privacy program plans; SCRM strategy;
system design documentation; supply chain information; enterprise, security, and privacy architecture
information; security, privacy, and SCRM policies and procedures applicable to the system.
• Expected Outputs: Security and privacy assessment plans approved by the authorizing official.
• Discussion
• Assessment Plan Development
• When, What, Where and How
• Rules of Engagement – POCs; Tools Techniques; Approvals
• Scope
5. ASSESSMENT PLAN
• Assessment Plan provides objectives
• Two purposes
• Establishes expectations
• Binds the Assessor to a predetermined level of effort
• Types ofAssessments
• DevelopmentalTest and Evaluation
• IV&V
• Assessments supporting authorization or reauthorization; the continuous monitoring
assessment; and remediation, or regression, assessments.
6. CONTROL ASSESSMENTS
• Task A-3: Assess the controls in accordance with the assessment procedures
described in assessment plans.
• Potential Inputs: Security and privacy assessment plans; security and privacy plans; external
assessment or audit results (if applicable).
• Expected Outputs: Completed control assessments and associated assessment evidence.
• Discussion
• SDLC (Early – Development Phase)
• Cost
• Common Controls (Inherited)
7. CONTROL ASSESSMENTS
• Tools
• Manual
• Steps taken
• Automated
• Document the settings
• Types of Tests
• The examine method is the process of reviewing, inspecting, observing, studying, or analyzing
one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of
the examine method is to facilitate assessor understanding, achieve clarification, or obtain
evidence.
• The interview method is the process of holding discussions with individuals or groups of
individuals within an organization to once again, facilitate assessor understanding, achieve
clarification, or obtain evidence.
• The test method is the process of exercising one or more assessment objects (i.e., activities or
mechanisms) under specified conditions to compare actual with expected behavior
8. CONTROL ASSESSMENTS
• Example AC-3(6), Access
• Enforcement, which is listed in SP 800-53A, is quoted here:
• ASSESSMENT OBJECTIVE: Determine if:
• (i) the organization defines the user and/or system information to be encrypted or stored offline in a
secure location; and
• (ii) the organization encrypts, or stores off-line in a secure location, organization-defined user and/or
system information.
• Potential assessment methods and objects:
• Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information
system design documentation; information system configuration settings and associated documentation;
information system audit records; other relevant documents or records].
• Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].
• Test: [SELECT FROM: Automated mechanisms implementing access enforcement functions].
9. CONTROL ASSESSMENTS
• Input: Test Plan
• Test Leader/Director
• Responsible for the SAR
• Freeze the System
• Look at Annual Assessments
• Incremental Assessments during the SDLC
• SSP Review from Phase 2
11. ASSESSMENT REPORTS
• Task A-4: Prepare the assessment reports documenting the findings and recommendations
from the control assessments.
• Potential Inputs: Completed control assessments and associated assessment evidence.
• Expected Outputs: Completed security and privacy assessment reports detailing the assessor findings and
recommendations.
• Discussion
• Assessment Report (Findings)
• SAR
• Documents the results of the testing
• Bring forward previous assessments
12. REMEDIATION ACTIONS
• Task A – 5: Conduct initial remediation actions on the controls and reassess remediated
controls.
• Potential Inputs: Completed security and privacy assessment reports with findings and recommendations; security
and privacy plans; security and privacy assessment plans; organization- and system-level risk assessment results.
• Expected Outputs: Completed initial remediation actions based on the security and privacy assessment reports;
changes to implementations reassessed by the assessment team; updated security and privacy assessment reports;
updated security and privacy plans including changes to the control implementations.
• Discussion
• During Development/Post-Development
• Meeting on Findings
13. REMEDIATION ACTIONS
• System Owner
• Reviews the findings
• False Positives
• ISSO assists in this process
• Meeting
• Assessor
• SO and ISSO
• Determines applicable findings
• Unacceptable Risk – Fix Now
• Addendum
14. PLAN OF ACTION AND MILESTONES
• Task A-6: Prepare the plan of action and milestones based on the findings and
recommendations of the assessment reports.
• Potential Inputs: Updated security and privacy assessment reports; updated security and privacy plans; organization-
and system-level risk assessment results; organizational risk management strategy and risk tolerance.
• Expected Outputs: A plan of action and milestones detailing the findings from the security and privacy assessment
reports that are to be remediated.
• Discussion
• Correct the deficiencies
• Residual Risk
• Process to fix