Assessment ArchitectureSecurity Assessment Plan (SAP) System Name.docx

Assessment ArchitectureSecurity Assessment Plan (SAP)
System Name: Universit y Admin OfficeStudent NameSection
1.1 - Provide a complete list of hardware consistent with the
architecture diagram. List each asset/host individually by
hostname or unique identifier. Baseline Hardware ListDevice
Name
(Unique Identifier)ManufacturerModel NumberFirmware /
OSPurposeOptional Field: might include fields such as Building
and Room, IP, Approval Status (using DISA approved HW list,
Common Criteria certification, etc.)Router1CiscoISR
422115.5Perimeter
RouterFirewall1CiscoISR42219.1(6)FirewallSwitch01 ans
switch 2Cisco29608.0.3AccesssComputersDelloptiplex
7050Windows 10 SBHWorksationStorageHewleet
PackardStoreEasyServer 2012 R2File Server*ADD ROWS AS
NEEDED*Section 1.2 - Provide testable software components,
such as IA-enabled applications and operating systems. Baseline
Software ListManufacturerNameVersionFunctionOptional Field:
might include fields such as Licence Expiration, Approval
Status (using DISA approved SW list, Common Criteria
certification, etc.)Adobe Acrobat Pro
DCAcrobat19.010.20069Document CreationAdobe Flash
PlayerAcrobat32.0.0.270playing media files onlineGoogle
Chromegoogle77.0.3865.120browsing internetOracle java
runtime environmetoraclejre-8u221-windows-x64.exeruning
java applicationsMcAfee virus scan etrpriseAcrobat(VSE) 8.8.0
Patch 12scanning viruses in the systemMicrosoft Office 2016
standardMicrosoft2016creating ms fileaMicrosoft windows
server 2012 R2 Members ServerMicrosoft2012server*ADD
ROWS AS NEEDED*Section 1.3 - Provide a copy of the
architecture diagram and complete the assessment location
fields. [Text] is provided as sample content only, replace with
system-specific content.Not required for Assignment:
Architecture / Assessment Boundary DiagramsAssessment

LocationEmbed (or provide separately) a copy of the
architecture diagram used to develop this SAP. Do not reference
an architecture diagram uploaded in eMASS as eMASS artifacts
can be changed over time and, if changed, may invalidate this
SAP. Changes to the architecture diagram require an update to
the SAP and may require additional SCA review and approval.
Consult the assigned SCA Liaison as needed.
Embed Diagram
Here:Location(s)Environment Type (Dropdown)Instructions:
1. Click on this cell
2. Choose 'Insert Object'
3. Use the 'Create From File' tab and locate file
4. Check the box 'Display as Icon'
5. Click 'OK'Operational EnvironmentOperational
Environment
Assessment MethodsRMF SAP Continued Section 2.0 -
Complete all fields in this tab, ensuring consistency with the
'Assessment Architecture' tab. Section 2.1 - List each
assessment method that will be executed as part of the Security
Assessment Plan in the "Test Battery" column. List all hosts
with the method that will be used to assess in the "Test Target"
column; this field should include every target hostname,
whenever applicable. Include the verification method that will
be used by the validator and how the results/output will be
captured in the corresponding fields. Requirements
TraceabilityTest BatteryTest Target
(Component, Software, Technology, or Policy)Verification
Method
(E) Examine, (I) Interview, (T) TestOutputNIST SP 800-53A
Rev4 Security Controls Assessment Procedures for L – L –
LSystemE, I, TProcedures and results will be captured in
spreadsheet for each applicable security control assessment
procedureAssured Compliance Assessment

Solution
(ACAS) Vulnerability scan(s)All assets
TResults will be provided in nessus fileTraditional Security
Technical Implementation Guide (STIG)systemE,I,TSTIG
Viewer .ckl results will be provided Enclave Testing Security
Technical Implementation Guide (STIG)SystemE, ISTIG Viewer
.ckl results will be provided Network Perimeter Router L3
Switch STIG - Ver 8, Rel 32Router1E, I, TSTIG Viewer .ckl
results will be provided gFirewall SRG - Ver 1, Rel
3Firewall1E, I, TSTIG Viewer .ckl results will be provided
Network Layer 2 Switch STIG - Ver 8, Rel 27Switch01,
Switch02E, I, TSTIG Viewer .ckl results will be provided
*ADD ROWS AS NEEDED*
Assessment Personnel & ScheduleRMF SAP Continued Section
3.0 - Complete all fields in this tabSection 3.1 - Provide a list
of assigned personnel. Assessment
PersonnelTitleNameTelephoneEmail AddressProgram
ManagerValidatorSite/Program ISSMISSESystem
Administrator*ADD ROWS AS NEEDED*Section 3.2 - Provide
a schedule of assessment activities. [Text] is provided as
sample content only, replace with system-specific content.
Events can be modified as needed for each system and are

provided only as suggestions.Assessment
ScheduleDate(s)DurationEventAssessment Objectives Approval
(Stakeholder concurrence)SETUP &
CONNECTIVITYConfiguration VerificationAssessment
Procedures Walkthrough and finalization of assessment
execution detailsSetup and connectivity checksASSESSMENT
EXECUTIONAssessment objective(s) under test
(ex. Manual STIG checks of Windows 7 workstations for
assessment procedure compliance)
ACAS scanningRe-run tests as neededCombine Manual and
Automated results (if applicable)Document raw
resultsASSESSMENT REPORTSynchronize results with the
Risk Assessment ReportIdentify False Positives and Misleading
ResultsPerform Gap AnalysisExecute any additional testing
identified in Gap AnalysisAdd vulnerabilities to Control Status
Populate SAR / Perform Risk AnalysisUpdate POA&MArchive
raw test data for submission
ExceptionsRMF SAP Continued Section 4.0 - Review each
question below and respond accordingly. Provide additional
required information in column E as required. Yes or No
(dropdown)Exceptions in TestingAdditional Information
RequiredNoIs there a relationship between this SAP and other
plans and documents? If yes, describe the related plans (e.g.,
Master Test Plan, Continuous Monitoring Strategy, etc.) here.
YesAre there any Testing Limitations due to equipment, time,

lab availability, system access, system admin availability, etc.?
If yes, list them here. If discovered during the test event,
document here at later date. Vulnerability scaner, pentration
testers, network security audiing equipment, hex editors, NoAre
there any Related Tests being performed as part of this
assessment event? If yes, describe related tests (e.g.,
Penetration testing, Web Risk Assessments) Documentation
format will be as follows:
a. Test Title
b. Date conducted
c. Related system being tested
d. Responsible Organization
e. Impact on testing for this system or productYesAre there any
Additional Test Considerations that need to be considered that
have not previously been identified in this plan?If yes, describe
here: The considered the best way through which the faults
identifies could be corrected. NoAre Custom Test Cases
required to complete this assessment?If yes, describe the driver
(e.g., the absence of an applicable STIG or SRG for a system
under test) behind the test cases and the method in which they
were generated (e.g., developed using vendor hardening
guidance, best practices, or other references as applicable). The
preferred format is the DISA STIG format. All custom test
cases are grouped by technology. If a custom test case is
required it must be traced to an applicable security control and

have an assigned Severity Category based on criteria that shall
also be documented here.
All Custom test cases will be grouped into distinctive test
batteries and referenced in the Requirements Traceability table.
Security Test ReportRMF SAP Continued Section 5.0 - This
report provides additional information useful for documenting
test events and any conditions or exceptions realized during the
event that may require further review. Section 5.1 - Complete
all fields adequately identifying conditions of a test case
indicating non-compliance, but determined to be incorrectly
marked as an open finding (ex. False Positive) [Text] is
provided as sample content only, replace with system-specific
content. False PositivesSource of Discovery
or
Test Tool NameTest IDDescription of
Vulnerability/WeaknessCommentTrouble Ticket
#[ACAS][12345][System must use NTFS]ACAS incorrectly
identified multiple assets as not utilizing NTFS. Manual testing
was performed and verified NTFS is correctly implemented and
used.DISA ACAS Helpdesk TT#123456IDSIDS-3427must be
installed in the networkIDS sometimes fire alarm even with
legitimate activity in the netwokIDS hlpdesk TT
IDS_3427Network scanner [Nmap}NMAP-4876Require
disabling of the network security appliancesTo run Namp, all
othher security systems must be disabled.therefore, it can map

out vulnerabilities who those systems prevent. security
enginerNMAP-8976ADD ROWS AS NEEDEDSection 5.2 -
Complete all fields adequately identifying any misleading
results. For detailed explanation, see reference tab.[Text] is
provided as sample content only, replace with system-specific
content. Misleading ReportsSource of Discovery
or
Test Tool NameTest IDDescription of
Vulnerability/WeaknessComment[EXAMPLE: 800-53 Rev4
Controls][PE-3
CCI: 000919]
[The organization enforces physical access authorizations at
organization-defined entry/exit points to the facility where the
information system resides.][Assessor initially marked this non-
compliant based on information received from site personnel
prior to site visit. Further review with Command Security
Manager onsite revealed compliance with this control, as
physical access is controlled and documented
appropriately.]seleniumPE-5 BBc: 987078The orgainzation
website can beattacke and important data stolen. Not having
enough security strategies can affect the system. Selenium
indicated the possible ares that the attacker could be interested
on. Security managemet noted the security was uptodate in the
system.TestComplete TC-16 TCI: 876519this is a software that
monitors all actios in the computer. The vulnerabilities that

this tool test include network faults.The tools reports false
information on the testing. Also, most of the reports it generate
include the corrected vulnerabilies. ADD ROWS AS
NEEDEDSection 5.3 - Identify any exceptions to the assessment
testing which occurred during the assessment in the box below.
Provide a summary of the issue, background information and
details of the exception.Summary of Issue: Background:
Testing the system needs very good and efficient tools that
could produce the best results. However most of the available
tools do not produce comprehensive results. Some of these tools
can be used on all parts of the system. Therefore, dedicated
tools are neede to find out issues in the network.This could turn
the testing process time-consumming yet expensive. Also, some
of the tools could not be relied on because they show false
results on the system.
ReferencesThis tab in INFORMATIONAL ONLY, and provides
reference material and educational information related to
security assessment planning. References:Reference documents
used to support testing and prepare this plan include but are not
limited to (Check for updated versions of each):
a. DODI 8510.01, Risk Management Framework (RMF) for DoD
Information Technology (IT), 12 March 2014
b. Department of Defense (DoD) Cybersecurity Risk
Assessment Guide, 22 April 2014
c. NIST SP 800-30 Rev1, Guide for Conducting Risk

Assessments, September 2012
d. NIST SP 800-53 Rev4, Security and Privacy Controls for
Federal Information Systems and Organizations, April 2013
e. NIST SP 800-53A Rev1, Guide for Assessing the Security
Controls in Federal Information Systems and Organizations,
June 2010
h. DoDI 5000.02, Operation of the Defense Acquisition System,
7 January 2015
i. Risk Management Framework Process Guide, 4 August 2017
k. Test and Evaluation Master Plan (TEMP) or Master Test Plan
(MTP)(if applicable)
l. Governing Instructions (specific to system under test, if
applicable)Assessment Objectives:The system is to be evaluated
for compliance with the applicable NIST SP 800-53 security
controls, in support of the Risk Management Framework (RMF).
Any exceptions must be noted and reported in the test report,
and results of non-compliance shall be recorded in the system
Risk Assessment Report (RAR) for analysis and inclusion with
the Security Assessment Report (SAR). The ongoing findings
will then be documented in the Plan of Action and Milestones
(POA&M) for future mitigation or remediation. Architecture
Diagram:A network diagram can be provided as a separate
artifact but is required to be included with SAP. This diagram
serves as a snapshot in time representation of the network at the
time of assessment. These should reflect the architecture that

will be assessed and authorized (if applicable). Diagrams
should clearly show connectivity and placement within the
architecture. Each device shown should include IP address,
Unique Identifier (ex. hostname), Operating System, and
function. It should be possible to verify all network
connections physically based on the diagrams provided. All
interconnections with assets outside of the boundary should be
clearly marked and include references to other authorizations.
Out-of-band (OOB) management network connectivity should
also be included, and references to authorization of the OOB
network should be included if separate from this effort.
Verification Methods:Examine: The process of reviewing,
inspecting, observing, studying or analyzing one or more
assessment objects (i.e., specifications, mechanisms, or
activities
Interview: The process of holding discussions with individuals
or groups of individuals within an organization to facilitate
assessor understanding, achieve clarification, or obtain
evidence.
Test: The process of exercising one or more assessment objects
(i.e., activities or mechanisms) under specified conditions to
compare actual with expected behavior.Assessment
Targets:Component, Software, Technology, or
PolicySatisfactory/Unsatisfactory (Sat/Unsat)
Criteria:Establishing Satisfactory/Unsatisfactory (Sat/Unsat)

Criteria- Prior to the commencement of formal assessment, the
configuration, Satisfactory/Unsatisfactory (Sat/Unsat) criteria,
and the execution process must be fully documented by the
assessment team, and approved by the system stakeholders
through formal collaboration after Step 2 of the RMF process.
The Sat/Unsat criterion for cybersecurity assessment differs
slightly from functional testing. The goal of cybersecurity
testing is to adequately assess security features implemented or
required for each system, regardless of disposition. The
security assessment results in findings identified as ‘open’,
‘closed’, or ‘not applicable’ combined with an associated raw
risk level that is used later in the residual risk analysis, as
opposed to a pass/fail method. To determine the success or
failure of a test, the assessor will conduct any required data
reduction or analysis and compare the actual results with the
expected result. If an ‘open’ finding exists, the assessor must
also ensure that the test adequately characterizes the risk level
of the security feature being tested. All results of assessment
procedures are documented in the respective test tool reporting
format. All ‘open’ findings are then documented in the Risk
Assessment Report (RAR) for further analysis. The findings are
further evaluated to determine false positives and misleading
results. Remaining findings are then assigned a raw risk
category. All findings shall have a residual risk analysis
performed, for each respective finding, and documented in the

RAR. The findings, along with the established residual risk, are
then documented in the Security Assessment Report (SAR) for
review and concurrence by the SCA.Entrance/Exit
Criteria:Entrance criteria include all conditions required to be
met prior to starting test.
These include:
a. Having completed the Assessment Architecture tab of this
document
b. Having satisfactorily passed all functional tests
c. Having performed dry run(s) of assessment tests
d. Having all assets under assessment available to the
assessor(s)
e. Having all requisite credential(s) and system access for
assessment
f. Having identified data transfer requirements for exporting
vulnerability test data from system under assessment, if
applicable
Exit criteria include those items that must be met prior to
leaving RMF Step 4, Assess Security Controls. These include:
a. An established level of residual risk for all findings
b. An accurate characterization of all mitigations for each
finding in the RAR
e. False positives and misleading results documented
f. Risk aggregation analysis performed
g. Risk Assessment Report (RAR) completed

h. Security Assessment Report (SAR) populated with all
ongoing findings
i. Plan of Action and Milestones (POA&M) completed and
updated
j. An established system-level of residual risk
Logistics Support:Resources, such as spare parts,
documentation, transportation, training and the organizations
providing them, may be required for assessment and must be
planned for. Qualifications/Certifications:There may be several
personnel qualifications required for RMF supporting roles,
beyond the Validators. All qualifications and certifications
should be reviewed by the PM/ISO before assigning personnel
in this SAP. Security:The ISSM should address security to
reinforce the importance of protecting classified material and
ensuring the integrity of the assessment process. False
Positives:False Positives are a condition of a test case
indicating non-compliance, but after further analysis it is
determined that the test case incorrectly marked the finding as
open. This is normally associated with automated testing
methods and arises due to a number of possibilities. It is
important to single out these conditions, record them for further
review and to provide feedback to test tool maintainers. This
will increase overall accuracy of future test events, and reduce
the amount of work necessary to address the same conditions
when testing is performed at other points in a system’s

lifecycle. Misleading Results:Misleading results are a condition
that arises when the interpretation of an assessment procedure
between testers is in conflict. This happens due to the complex
nature of assessment procedures, a misunderstanding regarding
the goal of the test case, or the use of a different method for
determining compliancy status.Misleading results are realized
during further analysis of findings and a careful review of the
test objective. Supporting details provided by testers will assist
in the identification and resolution of these conditions. This
will decrease efforts of future test events, and reduce the
amount of work necessary to address the same conditions when
testing is performed at other points in a system’s lifecycle.
LOW IMPACT CONTROLS2
LOW IMPACT CONTROLS2
RMF: Low Impact Controls

NIST LOW IMPACT CONTROLS
AC-3 Access Enforcement. Access control enables the
organization to include in their systems a varied range of
security control to ensure a high level of access management.
University Admin Office has a contract with Ekran System and
ensures authentication by providing features that improve the
company’s account management system using access control
policies. University Admin office is fully compliant
AT-2 Security Awareness Training. Awareness training requires
the organization to formulate and implement an awareness
program that ensures all staff members within the organization
are trained on security measures. University Admin Office
partnered with Ekran system for creating proper online training

materials and ensure adequate training have been put in place to
minimize risks. Inherited and compliant.
AU-1 Audit and Accountability Policy and Procedures. These
policies and procedures enables the organization to establish a
trusted or credible accountability system by performing
continuous audits to detect the presence of threats. Ekran
System provides University Admin office with comprehensive
user activity, to monitor the mitigation at all points. The
company is fully compliant.
CA-1 Security Assessment and Authorization Policy and
Procedures. Security Assessment and Authority enables the
organization to create a policy for developing and monitoring
information security assessment within all its IT users, and
assets. University Admin Office has adopted this principle.
CM-1 Configuration Management Policy and Procedures.
Configuration management is a system engineering procedure
that ensures consistency in all operational environment.
University has a contract with pivotal application service (PAS)
to ensure all its assets with the system are compliance to audit.
CP-1 Contingency Planning Policy and Procedures. Contingency
Planning requires the organization to address the established
procedure and policies in the CP control. University ensures
the procedure reflect the applicable federal laws.
IA-2 Identification and Authentication. It is a type of security
control for identifying every user and device accessing your

network in a unique way. Ekran System provide with Multiple
factor authentication (MFU) features to enable identification of
each shared user. University Admin Office is fully complaint.
IR-5 Incident Monitoring. Incident Response requires the
organization to protect sensitive information. The University
Admin Office has a contract with Ekran Systems company that
provide actionable tools to cater to this requirement. University
Admin Office meets this requirement fully.
MA-2 Controlled Maintenance. This control requires the
organization to perform regular maintenance of documents,
records, repairs of information system in a compliant with the
vendor’s specification. University Admin Office has a contract
with PAS on all its activities and equipment’s regardless remote
or site. Fully compliant.
MP-2 Media Access. Media Protection requires the organization
to protect and control information system stored in the
university office. University Admin Office has a contract with
PCF for testing its asset and transporting information on digital
and non digital media. Fully compliant.
PE-6 Monitoring Physical Access. Physical and Environmental
Protection requires the organization to provide physical and
environmental policy protection within the scope, management
and responsibilities. University complies fully to the federal
law.
PL-2 System Security Plan. Planning Require the organization’s

SSP system is secure a plan that is properly planned and
implemented to manage and secure information. We are fully
compliant with SSP.
PS-7 Third-Party Personnel Security. This control entails the
implementation of procedures and policy for the third party
security providers. University Admin Office partnered with
ABC securities and compliant to the federal rule of law.
RA-3 Risk Assessment. Risk Assessment require the
organization to conduct audit results, control testing and both
external and internal loss events and put together by the
assessor within a defined data, and system. University Admin
office has a contract with ITL to monitor and develop test to the
system and data. We are fully compliant
SA-4 Acquisition Process. This System and Services
Acquisition control enables the organization to ensure service
acquisition processes are secure in order to protect network
infrastructure against the threat of loss of data. University
Admin office is compliant
SC-1 System and Communications Protection Policy and
Procedures. These policies and procedures enable the
organization to establish a certain policy that ensures
development and maintenance of system communication
program. University fully complies.
SI-1 System and Information Integrity Policy and Procedures.
System and Information Integrity require the organization to set

information security standards to maximize the security,
functionality of information on all assets data and encryption
technology. We are compliant with this NIST control.

Prepared by: _________________________
Date: _________________________
Categorization for: ______________________________
Briefly describe system operation and purpose: (include general
purpose, level/source of
maintenance support, physical environment, sensitivity of
information, access by public users)
List roles of authorized users: (include basic and privileged
users, any public/client access, etc.)
Using NIST SP 800-60 Vii, list 3-5 information types created,
processed, or stored on this system:
Number Name Impact: C I A (L, M, or H)
_______ _________________________________________
____ ____ _____

_______ _________________________________________
____ ____ _____
_______ _________________________________________
____ ____ _____
_______ _________________________________________
____ ____ _____
_______ _________________________________________
____ ____ _____
Date: 09/14/2019Your Name: System name: University
Administration OfficeSystem Operations and Purpose: The
purpose of the University Administration Office is for managing
and coordinating all its administrative function. The office has
an Admin website to manage Admissions, Degree Programs,
University Events, and Financing Options. This office is also
responsible for answering any administrative related questions,
safety & security of the university campus, storing & protecting
all financial documents and students records. The University IT
department provides the maintenance support to this portal, and
the sensitivity of the data is protected. Only authorized admin
personals can access the admin office and the admin portal.
Authorized Roles: 5 Full-time employees can access University

Administration Office, including the Admin portal. They can
able to create, update, and delete any content from the admin
portal. There are 2 system administrator from the IT department
who has full access for any system maintenance activities.
Other than 5 full-time employees and 2 IT staffs, public have
read access to this Admin portal.Information Type 1: Facilities,
Fleet, and Equipment Management Information
TypeInformation Type 2: Help Desk Services Information
TypeInformation Type 3: Security Management Information
TypeInformation Type 4: System Maintenance Information
TypeInformation Type 5: IT Infrastructure Maintenance
Information TypeInformation Type Number 1:
C.3.1.1Information Type Number 2: C.3.1.2Information Type
Number 3: C.3.1.3Information Type Number 4:
C.3.5.3Information Type Number 5: C.3.5.4C1: LC2: LC3:
MC4: LC5: LI1: LI2: LI3: MI4: MI5: LA1: LA2: LA3: LA4:
LA5: L
RMF Step 4: Assessment
In Step 4, the Assessor (or Validator) reviews all the artifacts
provided to determine the risk to the system. All of these
findings are presented in the Security Assessment Report
(SAR). There are many complex versions available, both
government and commercial. These are great references for
major projects, but you do not need to go into that much detail.

FedRAMP Security Assessment Report (SAR) Template,
General Services Administration
https://www.fedramp.gov/assets/resources/templates/FedRAMP-
SAR-Template.docx
Tips for Creating a Strong Cybersecurity Assessment Report,
Lenny Zeltser
https://zeltser.com/security-assessment-report-cheat-sheet/
Assignment Requirements
Write an original SAR that captures all the work you have
conducted on your University Administration Office. Do not use
the full FedRamp template, as a minimum, you should include:
· An overview of your system - University Administration
Office
· The scope and methodology of your assessment
· Your prioritized findings with recommended mitigations
Submission Requirements
Format: Microsoft Word
Font: Arial, 12-Point, Double- Space
Length: approximately 2-4 pages
Note: I have attached my previous RMF steps document for the
University Admin Office

Assessment ArchitectureSecurity Assessment Plan (SAP) System Name.docx

Assessment ArchitectureSecurity Assessment Plan (SAP) System Name.docx

Recommended

Recommended

More Related Content

Similar to Assessment ArchitectureSecurity Assessment Plan (SAP) System Name.docx

Similar to Assessment ArchitectureSecurity Assessment Plan (SAP) System Name.docx (20)

More from festockton

More from festockton (20)

Recently uploaded

Recently uploaded (20)

Assessment ArchitectureSecurity Assessment Plan (SAP) System Name.docx