Professional Documents
Culture Documents
NIST SP 800-53A Introductory Course v1 Download
NIST SP 800-53A Introductory Course v1 Download
Course Authority
Information in this course should be applied in accordance with legislative guidelines, standards,
and requirements established by the Federal Government and your organization.
In accordance with its statutory authorities, NIST maintains a research information center to support the research, publishing, and preservation needs
required to fulfill the scientific and technical mission of NIST. NIST makes its RMF Introductory Course available to interested parties as a public service.
Pursuant to 17 USC 105, works authored by NIST employees are not subject to Copyright protection within the United States; foreign rights are reserved on
behalf of the Secretary of Commerce. To the extent that NIST may hold copyright or other rights in countries other than the United States, you are hereby
granted the non-exclusive irrevocable and unconditional right to print, publish, prepare derivative works, and distribute, in any medium, or authorize
others to do so on your behalf, on a royalty-free basis throughout the world. Downloads are made available as a courtesy of NIST. Please provide
appropriate attribution to NIST, the creator of the courses.
The RMF Introductory Course is provided “AS IS.” NIST makes NO WARRANTY of any kind, express or implied or statutory, including without limitation, the
implied warranty of merchantability, fitness for a particular purpose, non-infringement or data accuracy.
Permission to use this material is contingent upon your acceptance of these terms.
Software Disclaimer
NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may
improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice
stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the
software.
NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION,
THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE
OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING
THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.
You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs
of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in
any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.
A brief overview on how to navigate through the course, when delivered via the NIST CSRC website:
• The course outline is shown in the left-hand navigation bar
• A keyword search is available, but you will only be able to access slides you have already viewed.
• The recommended use of this search function is meant for after you have completed the course and would like to refer to a particular topic.
• In the upper right-hand corner, there are two items of note: Marker Tools and Notes
• Clicking “Marker Tools” allows you to “mark up” (e.g. highlight, underline, etc) your version of the presentation slide, if you wish to do so
• Clicking “Notes” displays the written script of the audio track on that particular slide
• Under the main presentation slide, on the left-hand side:
• A Play/Pause button for the slide currently displayed
• A timer for the current slide is also displayed, as well as a replay button, volume control, and full-screen toggle button
• Under the main presentation slide, on the right-hand side:
• Navigate backward to slides you have already viewed using the “Prev” button
• Navigate forward to slides to return your current position in the course using the “Next” button
• Note that you cannot navigate forward to slides you have not yet seen
• The Accessibility icon is in the upper left-hand corner of the presentation window
At any time, you can leave the course and resume from where you left off in the
course – just be sure to enable cookies for this website in your browser.
This course is provided by the National Institute of Standards and Technology
and is available free of charge at https://nist.gov/rmf 3
Course Structure
Course Goal
Gain familiarity with the security and privacy control assessment processes including
• Developing and tailoring an assessment plan
• Conducting an assessment using the assessment plan
• Reporting assessment results to facilitate risk-based decision making
Learning Objectives
After completing this course, you will be able to
• Describe the purpose of the security and privacy control assessment
• Explain how control assessments can support an organization’s risk management program
Control Assessment
The testing or evaluation of the controls in an information system or an organization to determine the extent
to which the controls are implemented correctly, operating as intended, and producing the desired outcome
with respect to meeting the security or privacy requirements for the system or the organization.
Provides
• Consistent and repeatable approach to conducting control assessments
Enables
• Collection of information necessary to determine the effectiveness of implemented controls
• Customized planning of a control assessment to meet specific organizational needs
• Creation of complete, reliable, and trustworthy information to support risk management decisions
Supports
• Risk Management Framework (RMF) Assess and Monitor Steps
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
10
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Potential Assessment Methods
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
11
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Potential Assessment Objects
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
12
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Potential Assessment Methods and Objects
Depth- and coverage-related considerations
DEPTH COVERAGE
Addresses the rigor and level of detail of the Addresses the scope or breadth of the
assessment assessment
BASIC High-level using limited amount of evidence Uses representative sample of assessment objects
ASSESSMENT
FOCUSED In-depth analyses using a substantial amount of Uses representative sample plus additional
assessment objects deemed important to the
ASSESSMENT evidence assessment objectives
COMPREHENSIVE Detailed and thorough analyses using extensive Sufficiently large sample plus additional assessment
objects deemed important to the assessment
ASSESSMENT amount of evidence objectives
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
13
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Potential Assessment Methods and Objects
EXAMINE
INTERVIEW
TEST
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
14
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Assessment Objectives
Determination Statements
Determination Statements are linked to content of the control for traceability of assessment results back
to the control items
Assessment
Objective
SP 800-53A Control Assessment Objective
Identifiers
SP 800-53 Control Determination Statements
AC-17 REMOTE ACCESS
ASSESSMENT OBJECTIVE:
AC-17 REMOTE ACCESS Determine if:
Control:
AC-17a.[01] usage restrictions are established and documented for each type of
a. Establish and document usage restrictions, remote access allowed;
configuration/connection requirements, and AC-17a.[02] configuration/connection requirements are established and documented
implementation guidance for each type of for each type of remote access allowed;
remote access allowed; and AC-17a.[03] implementation guidance is established and documented for each type
b. Authorize each type of remote access to the of remote access allowed;
system prior to allowing such connections. AC-17b. each type of remote access to the system is authorized prior to allowing
such connections.
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
15
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Assessment Objectives
Determination Statements for ODP statements
Determination Statements provide for distinct Organization-Defined Parameter (ODP) statements
SP 800-53A Control Assessment Objective
Determination Statements for ODP
MP-07 MEDIA USE [Assignment] and [Selection] statements
ASSESSMENT OBJECTIVE:
Determine if:
MP-07_ODP[01] types of system media to be restricted or prohibited from use on systems or
ODP system components are defined;
Assessment MP-07_ODP[02] one of the following PARAMETER VALUES is selected: {restrict; prohibit};
Objective MP-07_ODP[03] systems or system components on which the use of specific types of system
Identifiers media to be restricted or prohibited are defined;
MP-07_ODP[04] controls to restrict or prohibit the use of specific types of system media on
systems or system components are defined; References to
MP-07a. the use of <MP-07_ODP[01] types of system media> is <MP-07_ODP[02] ODP Identifiers
SELECTED PARAMETER VALUE> on <MP-07_ODP[03] systems or system
components> using <MP-07_ODP[04] controls>;
in Determination
MP-07b. the use of portable storage devices in organizational systems is prohibited
Statement
when such devices have no identifiable owner.
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
16
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Assessment Procedure Examples
Separating Security and Privacy Impacts
CM-4 IMPACT ANALYSES
Control: Analyze changes to the system to determine potential CM-04 IMPACT ANALYSES
security and privacy impacts prior to change implementation.
ASSESSMENT OBJECTIVE:
Determine if:
Determination Statements CM-04[01] changes to the system are analyzed to determine potential security impacts prior
to change implementation;
separate security impacts from CM-04[02] changes to the system are analyzed to determine potential privacy impacts prior
privacy impacts to change implementation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
CM-04-Examine [SELECT FROM: Configuration management policy; procedures addressing
security impact analyses for changes to the system; procedures addressing
privacy impact analyses for changes to the system; configuration management
plan; security impact analysis documentation; privacy impact analysis
documentation; privacy impact assessment; privacy risk assessment
Potential Assessment Objects documentation, system design documentation; analysis tools and associated
differentiate between security outputs; change control records; system audit records; system security plan;
privacy plan; other relevant documents or records].
and privacy objects CM-04-Interview [SELECT FROM: Organizational personnel with responsibility for conducting
security impact analyses; organizational personnel with responsibility for
conducting privacy impact analyses; organizational personnel with information
security and privacy responsibilities; system developer; system/network
administrators; members of change control board or similar].
CM-04-Test [SELECT FROM: Organizational processes for security impact analyses;
organizational processes for privacy impact analyses].
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
17
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Assessment Procedure Examples
Organization Defined Parameters
CM-2 BASELINE CONFIGURATION
Control:
a. Develop, document, and maintain under configuration
control, a current baseline configuration of the system; and
b. Review and update the baseline configuration of the system: ODP Assignment or
1. [Assignment: organization-defined frequency];
2. When required due to [Assignment: organization- Selection Statement
defined circumstances]; and CM-02 BASELINE CONFIGURATION
3. When system components are installed or upgraded. ASSESSMENT OBJECTIVE:
Determine if:
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
18
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Assessment Procedure Examples
Selectable Organization-Defined Parameter
MP-7 MEDIA USE
Control: MP-07 MEDIA USE ODP Assignment or
a. [Selection: Restrict; Prohibit] the use of [Assignment:
organization-defined types of system media] on ASSESSMENT OBJECTIVE: Selection Statement
[Assignment: organization-defined systems or system Determine if: PARAMETER VALUES
components] using [Assignment: organization-defined
controls]; and MP-07_ODP[01] types of system media to be restricted or prohibited from
b. Prohibit the use of portable storage devices in organizational use on systems or system components are defined;
systems when such devices have no identifiable owner.
MP-07_ODP[02] one of the following PARAMETER VALUES is selected:
{restrict; prohibit};
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
19
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Assessment Procedure Examples
Embedded Organization Defined Parameter
CA-3 INFORMATION EXCHANGE
Control:
a. Approve and manage the exchange of information between the system and other systems using
[Selection (one or more): interconnection security agreements; information exchange security
agreements; memoranda of understanding or agreement; service level agreements; user agreements;
nondisclosure agreements; [Assignment: organization-defined type of agreement]]; Selection statement with
assignment statement as
possible parameter value
CA-03 INFORMATION EXCHANGE
ASSESSMENT OBJECTIVE:
Determine if:
ODP CA-03_ODP[01] one or more of the following PARAMETER VALUES is/are selected:
{interconnection security agreements; information exchange security agreements;
Assessment Objective Identifiers memoranda of understanding or agreement; service level agreements; user
agreements; non-disclosure agreements; <CA-03_ODP[02] type of agreement>};
Embedded Assignment Statement, defined CA-03_ODP[02] the type of agreement used to approve and manage the exchange of information is
only if selected defined (if selected);
CA-03_ODP[03] the frequency at which to review and update agreements is defined;
CA-03a. the exchange of information between the system and other systems is approved and
Reference to ODP with SELECTED PARAMETER
managed using <CA-03_ODP[01] SELECTED PARAMETER VALUE(S)>;
VALUE(S) in Determination Statement
CA-03b.[01] the interface characteristics are documented as part of each exchange agreement;
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
20
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Assessment Procedure Updates
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
21
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Lesson 2: Assessments within the SDLC
Security and privacy control assessments can be carried out throughout the SDLC
Development/Acquisition • Security- and privacy-related weaknesses and deficiencies identified early in the SDLC can be
resolved more quickly and cost-effectively than deficiencies identified in subsequent phases of
Implementation the life cycle
• Following initial authorization, verify that the security and privacy controls continue to be
Operations and effective in the operational environment and protect against constantly evolving risks
Maintenance
• Assessment procedures can support Information Security Continuous Monitoring (ISCM) strategy
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
22
Lesson 2: Assessments within the SDLC and is available free of charge at https://nist.gov/rmf
Lesson 3: Building an Effective Assurance Case
Assurance
Assurance Case
A structured set of arguments and a body of evidence showing that a system satisfies specific claims with
respect to a given quality attribute.
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
23
Lesson 3: Building an Effective Assurance Case and is available free of charge at https://nist.gov/rmf
Evidence
NOTE
The level of detail in development artifacts can affect the
type of testing, evaluation, and analysis conducted throughout the SDLC
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
24
Lesson 3: Building an Effective Assurance Case and is available free of charge at https://nist.gov/rmf
Module 2: The Assessment Process
Establish
Ensure suitable
Define purpose of organizational Provide secure
technical
the assessment communication access
expertise
channels
Determine
Address
Detail what is required level of Deliver using
assessment cost
being assessed assessor secure transport
issues
independence
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
26
Lesson 1: Prepare for Control Assessments and is available free of charge at https://nist.gov/rmf
Assessment Team Preparation
Develop
Receive and Identify Points
Assessment
Review Artifacts of Contact
Plan
Include controls
Secure and Organization
from the security
protect artifacts officials
and privacy plans
Understand
Common control Tailor assessment
operations and
providers procedures
architectures
Request
Assessment-
additional
specific contacts
artifacts
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
27
Lesson 1: Prepare for Control Assessments and is available free of charge at https://nist.gov/rmf
Lesson 2: Develop Security and Privacy Assessment Plans
Steps for Developing Assessment Plans
Develop Finalize
Determine Select and Tailor Optimize
Additional
Controls Assessment
Assessment
Assessment Assessment
to be Assessed Procedures Procedures
Procedures Plan
Obtain Plan
Approval
NOTE
An assessment plan may include objectives and scope, key system and organization
participants and authorities, assessment team members, and logistical details
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
28
Lesson 2: Develop Assessment Plans and is available free of charge at https://nist.gov/rmf
Determine Controls to be Assessed
Determination Steps
• Complete assessment: Select all controls in security or privacy plan
• Partial assessment: Organization defines selection of controls to assess
• Common control assessment:
o Identify inheritable controls supplied by the common control provider
o Select all inheritable controls or organization-defined selection of controls
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
29
Lesson 2: Develop Assessment Plans and is available free of charge at https://nist.gov/rmf
Select and Tailor Assessment Procedures
Tailoring Considerations
• Assessment Methods and Objects
• Depth and Coverage Attributes
• Common Controls and Control Inheritance
• System-, Platform-, or Organization-specific Dependencies
• Reuse of Assessment Evidence
• Adjust for External Providers
NOTE
The tailoring of the assessment procedures is a distinct process
from the tailoring of control baselines discussed in SP 800-53B
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
30
Lesson 2: Develop Assessment Plans and is available free of charge at https://nist.gov/rmf
Develop Additional Assessment Procedures
Development Steps
• Organization-specific controls
o Address policies, unique requirements or specific risks that are not addressed
by SP 800-53 controls
• Customize assessment procedures for organization-specific controls
following SP 800-53A guidance
o Assessment objectives and determination statements
o Assessment methods
o Assessment objects
• Include custom assessment procedures in assessment plan
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
31
Lesson 2: Develop Assessment Plans and is available free of charge at https://nist.gov/rmf
Optimize Assessment Procedures
Optimization Considerations
• Combining and consolidating assessment procedures
• Define a sequence for the assessment of controls
• Reuse assessment information for related controls
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
32
Lesson 2: Develop Assessment Plans and is available free of charge at https://nist.gov/rmf
Finalize Assessment Plan
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
33
Lesson 2: Develop Assessment Plans and is available free of charge at https://nist.gov/rmf
Lesson 3: Conduct Security and Privacy Control Assessments
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
34
Lesson 3: Conduct Assessments and is available free of charge at https://nist.gov/rmf
Assessment Findings
Assessment Findings
The execution of a determination statement within an assessment procedure by an assessor that results in
either a satisfied or other than satisfied condition.
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
35
Lesson 3: Conduct Assessments and is available free of charge at https://nist.gov/rmf
Report Assessment Findings
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
36
Lesson 3: Conduct Assessments and is available free of charge at https://nist.gov/rmf
Lesson 4: Analyze Assessment Report Results
Share/Transfer Avoid
NOTE
Only the authorizing official can accept risk
on behalf of the organization risk management program
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
37
Lesson 4: Analyze Assessment Report Results and is available free of charge at https://nist.gov/rmf
Related Topics
Assess Security and Privacy Capabilities
Capability
A combination of mutually reinforcing security and/or privacy controls implemented by technical means,
physical means, and procedural means. Such controls are typically selected to achieve a common
information security- or privacy-related purpose.
Control 2
Control 3
Penetration Testing
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or
defeat the security features of a system.