NIST SP 800-53A Introductory Course v1 Download

Assessing Security and Privacy Controls in
Information Systems and Organizations

Introductory Course
April 2024
Based on NIST Special Publication (SP) 800-53A, Assessing Security and

Privacy Controls in Information Systems and Organizations
Course Authority
Information in this course should be applied in accordance with legislative guidelines, standards,
and requirements established by the Federal Government and your organization.
This course is provided by the National Institute of Standards and Technology

This
andcourse is provided
is available by of
free thecharge
National
atInstitute of Standards and
https://nist.gov/rmf
Technology and is available free of charge at https://nist.gov/rmf
Terms of Use and Software Disclaimer
In accordance with its statutory authorities, NIST maintains a research information center to support the research, publishing, and preservation needs
required to fulfill the scientific and technical mission of NIST. NIST makes its RMF Introductory Course available to interested parties as a public service.
Pursuant to 17 USC 105, works authored by NIST employees are not subject to Copyright protection within the United States; foreign rights are reserved on
behalf of the Secretary of Commerce. To the extent that NIST may hold copyright or other rights in countries other than the United States, you are hereby
granted the non-exclusive irrevocable and unconditional right to print, publish, prepare derivative works, and distribute, in any medium, or authorize
others to do so on your behalf, on a royalty-free basis throughout the world. Downloads are made available as a courtesy of NIST. Please provide
appropriate attribution to NIST, the creator of the courses.
The RMF Introductory Course is provided “AS IS.” NIST makes NO WARRANTY of any kind, express or implied or statutory, including without limitation, the
implied warranty of merchantability, fitness for a particular purpose, non-infringement or data accuracy.
Permission to use this material is contingent upon your acceptance of these terms.
Software Disclaimer
NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may
improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice
stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the
software.
NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION,
THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE
OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING
THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.
You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs
of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in
any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.

and is available free of charge at https://nist.gov/rmf 2
Course Navigation Instructions
A brief overview on how to navigate through the course, when delivered via the NIST CSRC website:
• The course outline is shown in the left-hand navigation bar
• A keyword search is available, but you will only be able to access slides you have already viewed.
• The recommended use of this search function is meant for after you have completed the course and would like to refer to a particular topic.
• In the upper right-hand corner, there are two items of note: Marker Tools and Notes
• Clicking “Marker Tools” allows you to “mark up” (e.g. highlight, underline, etc) your version of the presentation slide, if you wish to do so
• Clicking “Notes” displays the written script of the audio track on that particular slide
• Under the main presentation slide, on the left-hand side:
• A Play/Pause button for the slide currently displayed
• A timer for the current slide is also displayed, as well as a replay button, volume control, and full-screen toggle button
• Under the main presentation slide, on the right-hand side:
• Navigate backward to slides you have already viewed using the “Prev” button
• Navigate forward to slides to return your current position in the course using the “Next” button
• Note that you cannot navigate forward to slides you have not yet seen
• The Accessibility icon is in the upper left-hand corner of the presentation window
At any time, you can leave the course and resume from where you left off in the
course – just be sure to enable cookies for this website in your browser.
and is available free of charge at https://nist.gov/rmf 3
Course Structure
Completing the entire course should take approximately 60 minutes

• Introduction
• Module 1: The Fundamentals
• Module 2: The Assessment Process
• Related Topics
• Conclusion
• Supplemental Material
• Additional Resources

Assessing Controls Course Overview 4
and is available free of charge at https://nist.gov/rmf
Course Goal and Learning Objectives
Course Goal
Gain familiarity with the security and privacy control assessment processes including
• Developing and tailoring an assessment plan
• Conducting an assessment using the assessment plan
• Reporting assessment results to facilitate risk-based decision making
Learning Objectives
After completing this course, you will be able to
• Describe the purpose of the security and privacy control assessment
• Explain how control assessments can support an organization’s risk management program

Course Target Audience
Target audience for this course

• All individuals that have an interest in security and privacy
risk management strategies
• Individuals responsible for validating the effectiveness of the

implementation of security and privacy controls
• Key participants responsible for security and privacy risk

management processes, including the selection,
implementation, assessment, and monitoring of controls
needed to achieve a cost-effective and risk-based security
and privacy program

Introduction to Security and Privacy Control Assessments
Control Assessment
The testing or evaluation of the controls in an information system or an organization to determine the extent
to which the controls are implemented correctly, operating as intended, and producing the desired outcome
with respect to meeting the security or privacy requirements for the system or the organization.
What is a control assessment?

 Information gathering process used to evaluate the effectiveness of
implemented controls included in the security and privacy plans
 Method for identifying security and privacy strengths and weaknesses
 Assessment result reporting helps organization prioritize risk response
decisions and activities
 Not a compliance checklist or pass/fail paperwork

exercise for inspections or audits

NIST SP 800-53A Purpose
Provides
• Consistent and repeatable approach to conducting control assessments
Enables
• Collection of information necessary to determine the effectiveness of implemented controls
• Customized planning of a control assessment to meet specific organizational needs
• Creation of complete, reliable, and trustworthy information to support risk management decisions
Supports
• Risk Management Framework (RMF) Assess and Monitor Steps

Module 1: The Fundamentals
Objectives for this module

• Demonstrate how assessment procedures are structured and organized
• Explain how assessment objectives are derived
• Review the impact of assessments in different phases of the System Development Life Cycle (SDLC)
• Understand how assessments can establish a basis for confidence about the effectiveness of implemented
controls

Module 1: The Fundamentals 9
Lesson 1: Assessment Procedures
Objects, Methods, and Objectives
An assessment procedure consists of a set of assessment objectives, each with an
associated set of potential assessment methods and assessment objects
Objects Methods Objectives
Potential Assessment Objects Potential Assessment Methods Assessment Objectives

Specific items being assessed Defines the nature of the assessor actions Includes one or more
determination statements
linked to the content of the
SP 800-53 control
NOTE
Potential assessment methods are used to evaluate the potential assessment objects, which provides the
information necessary to determine whether the assessment objectives have been achieved
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
10
Lesson 1: Assessment Procedures and is available free of charge at https://nist.gov/rmf
Potential Assessment Methods
Potential Assessment Methods

• Examine
• Interview
• Test
MP-07 MEDIA USE
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
MP-07-Examine [SELECT FROM: System media protection policy; system use policy;
procedures addressing media usage restrictions; rules of behavior; system
design documentation; system configuration settings and associated
Potential documentation; audit records; system security plan; other relevant
Assessment documents or records].
Methods MP-07-Interview [SELECT FROM: Organizational personnel with system maintenance
responsibilities; organizational personnel with information security
responsibilities; system/network administrators].
MP-07-Test [SELECT FROM: Organizational processes for preventive maintenance;
mechanisms supporting and/or implementing preventive maintenance].
11
Potential Assessment Objects
Potential Assessment Objects

• Specifications
• Potential
Mechanisms
Assessment
• Activities
MP-07 MEDIA USE Objects
• Individuals
MP-07-Examine [SELECT FROM: System media protection policy; system use policy;
procedures addressing media usage restrictions; rules of behavior; system
design documentation; system configuration settings and associated
documentation; audit records; system security plan; other relevant
documents or records].
MP-07-Interview [SELECT FROM: Organizational personnel with system maintenance
responsibilities; organizational personnel with information security
responsibilities; system/network administrators].
MP-07-Test [SELECT FROM: Organizational processes for preventive maintenance;
mechanisms supporting and/or implementing preventive maintenance].
12
Potential Assessment Methods and Objects
Depth- and coverage-related considerations
DEPTH COVERAGE
Addresses the rigor and level of detail of the Addresses the scope or breadth of the
assessment assessment
BASIC High-level using limited amount of evidence Uses representative sample of assessment objects
ASSESSMENT
FOCUSED In-depth analyses using a substantial amount of Uses representative sample plus additional
assessment objects deemed important to the
ASSESSMENT evidence assessment objectives
COMPREHENSIVE Detailed and thorough analyses using extensive Sufficiently large sample plus additional assessment
objects deemed important to the assessment
ASSESSMENT amount of evidence objectives
13
Potential Assessment Methods and Objects
Analogy: medical check-up
EXAMINE
INTERVIEW
TEST
14
Assessment Objectives
Determination Statements
Determination Statements are linked to content of the control for traceability of assessment results back
to the control items
Assessment
Objective
SP 800-53A Control Assessment Objective
Identifiers
SP 800-53 Control Determination Statements
AC-17 REMOTE ACCESS
ASSESSMENT OBJECTIVE:
AC-17 REMOTE ACCESS Determine if:
Control:
AC-17a.[01] usage restrictions are established and documented for each type of
a. Establish and document usage restrictions, remote access allowed;
configuration/connection requirements, and AC-17a.[02] configuration/connection requirements are established and documented
implementation guidance for each type of for each type of remote access allowed;
remote access allowed; and AC-17a.[03] implementation guidance is established and documented for each type
b. Authorize each type of remote access to the of remote access allowed;
system prior to allowing such connections. AC-17b. each type of remote access to the system is authorized prior to allowing
such connections.
15
Assessment Objectives
Determination Statements for ODP statements
Determination Statements provide for distinct Organization-Defined Parameter (ODP) statements
SP 800-53A Control Assessment Objective
Determination Statements for ODP
MP-07 MEDIA USE [Assignment] and [Selection] statements
Determine if:
MP-07_ODP[01] types of system media to be restricted or prohibited from use on systems or
ODP system components are defined;
Assessment MP-07_ODP[02] one of the following PARAMETER VALUES is selected: {restrict; prohibit};
Objective MP-07_ODP[03] systems or system components on which the use of specific types of system
Identifiers media to be restricted or prohibited are defined;
MP-07_ODP[04] controls to restrict or prohibit the use of specific types of system media on
systems or system components are defined; References to
MP-07a. the use of <MP-07_ODP[01] types of system media> is <MP-07_ODP[02] ODP Identifiers
SELECTED PARAMETER VALUE> on <MP-07_ODP[03] systems or system
components> using <MP-07_ODP[04] controls>;
in Determination
MP-07b. the use of portable storage devices in organizational systems is prohibited
Statement
when such devices have no identifiable owner.
16
Assessment Procedure Examples
Separating Security and Privacy Impacts
CM-4 IMPACT ANALYSES
Control: Analyze changes to the system to determine potential CM-04 IMPACT ANALYSES
security and privacy impacts prior to change implementation.
Determine if:
Determination Statements CM-04[01] changes to the system are analyzed to determine potential security impacts prior
to change implementation;
separate security impacts from CM-04[02] changes to the system are analyzed to determine potential privacy impacts prior
privacy impacts to change implementation.
CM-04-Examine [SELECT FROM: Configuration management policy; procedures addressing
security impact analyses for changes to the system; procedures addressing
privacy impact analyses for changes to the system; configuration management
plan; security impact analysis documentation; privacy impact analysis
documentation; privacy impact assessment; privacy risk assessment
Potential Assessment Objects documentation, system design documentation; analysis tools and associated
differentiate between security outputs; change control records; system audit records; system security plan;
privacy plan; other relevant documents or records].
and privacy objects CM-04-Interview [SELECT FROM: Organizational personnel with responsibility for conducting
security impact analyses; organizational personnel with responsibility for
conducting privacy impact analyses; organizational personnel with information
security and privacy responsibilities; system developer; system/network
administrators; members of change control board or similar].
CM-04-Test [SELECT FROM: Organizational processes for security impact analyses;
organizational processes for privacy impact analyses].
17
Organization Defined Parameters
CM-2 BASELINE CONFIGURATION
Control:
a. Develop, document, and maintain under configuration
control, a current baseline configuration of the system; and
b. Review and update the baseline configuration of the system: ODP Assignment or
1. [Assignment: organization-defined frequency];
2. When required due to [Assignment: organization- Selection Statement
defined circumstances]; and CM-02 BASELINE CONFIGURATION
3. When system components are installed or upgraded. ASSESSMENT OBJECTIVE:
Determine if:
CM-02_ODP[01] the frequency of baseline configuration review and update is

ODP defined;
Assessment Objective CM-02_ODP[02] the circumstances requiring baseline configuration review and
update are defined;
Identifiers
CM-02a.[01] a current baseline configuration of the system is developed and
documented;
CM-02a.[02] a current baseline configuration of the system is maintained under
configuration control;
References to ODP CM-02b.01 the baseline configuration of the system is reviewed and updated
<CM-02_ODP[01] frequency>;
Identifiers in Determination
CM-02b.02 the baseline configuration of the system is reviewed and updated
Statements when required due to <CM-02_ODP[02] circumstances>;
CM-02b.03 the baseline configuration of the system is reviewed and updated
when system components are installed or upgraded.
18
Selectable Organization-Defined Parameter
MP-7 MEDIA USE
Control: MP-07 MEDIA USE ODP Assignment or
a. [Selection: Restrict; Prohibit] the use of [Assignment:
organization-defined types of system media] on ASSESSMENT OBJECTIVE: Selection Statement
[Assignment: organization-defined systems or system Determine if: PARAMETER VALUES
components] using [Assignment: organization-defined
controls]; and MP-07_ODP[01] types of system media to be restricted or prohibited from
b. Prohibit the use of portable storage devices in organizational use on systems or system components are defined;
systems when such devices have no identifiable owner.
MP-07_ODP[02] one of the following PARAMETER VALUES is selected:
{restrict; prohibit};
ODP MP-07_ODP[03] systems or system components on which the use of specific

types of system media to be restricted or prohibited are
Assessment Objective defined;
Identifiers MP-07_ODP[04] controls to restrict or prohibit the use of specific types of
system media on systems or system components are
defined;
Reference to ODP MP-07a. the use of <MP-07_ODP[01] types of system media> is
PARAMETER VALUES in <MP-07_ODP[02] SELECTED PARAMETER VALUE> on
<MP-07_ODP[03] systems or system components> using
Determination Statement <MP-07_ODP[04] controls>;
MP-07b. the use of portable storage devices in organizational

systems is prohibited when such devices have no
identifiable owner.
19
Embedded Organization Defined Parameter
CA-3 INFORMATION EXCHANGE
Control:
a. Approve and manage the exchange of information between the system and other systems using
[Selection (one or more): interconnection security agreements; information exchange security
agreements; memoranda of understanding or agreement; service level agreements; user agreements;
nondisclosure agreements; [Assignment: organization-defined type of agreement]]; Selection statement with
assignment statement as
possible parameter value
CA-03 INFORMATION EXCHANGE
Determine if:
ODP CA-03_ODP[01] one or more of the following PARAMETER VALUES is/are selected:
{interconnection security agreements; information exchange security agreements;
Assessment Objective Identifiers memoranda of understanding or agreement; service level agreements; user
agreements; non-disclosure agreements; <CA-03_ODP[02] type of agreement>};
Embedded Assignment Statement, defined CA-03_ODP[02] the type of agreement used to approve and manage the exchange of information is
only if selected defined (if selected);
CA-03_ODP[03] the frequency at which to review and update agreements is defined;
CA-03a. the exchange of information between the system and other systems is approved and
Reference to ODP with SELECTED PARAMETER
managed using <CA-03_ODP[01] SELECTED PARAMETER VALUE(S)>;
VALUE(S) in Determination Statement
CA-03b.[01] the interface characteristics are documented as part of each exchange agreement;
20
Assessment Procedure Updates
Publication guidance and assessment procedure changes are based on

• Information on the tactics, techniques, and procedures used by adversaries
• Changes to guidance, controls, and control enhancements in the SP 800-53 control
catalog
21
Lesson 2: Assessments within the SDLC
Security and privacy control assessments can be carried out throughout the SDLC
Development/Acquisition • Security- and privacy-related weaknesses and deficiencies identified early in the SDLC can be
resolved more quickly and cost-effectively than deficiencies identified in subsequent phases of
Implementation the life cycle
• Following initial authorization, verify that the security and privacy controls continue to be
Operations and effective in the operational environment and protect against constantly evolving risks
Maintenance
• Assessment procedures can support Information Security Continuous Monitoring (ISCM) strategy
• Ensure that important organizational information, including personally identifiable information,

Disposal are purged from the system prior to disposal and organizational retention schedules are followed
22
Lesson 2: Assessments within the SDLC and is available free of charge at https://nist.gov/rmf
Lesson 3: Building an Effective Assurance Case
Assurance
Assurance Case
A structured set of arguments and a body of evidence showing that a system satisfies specific claims with
respect to a given quality attribute.
Building an Assurance Case Assurance Case Demonstrates

• Compile evidence to justify confidence in • Components
security and privacy control effectiveness o Reliable and trustworthy
o Strength of functionality
• Obtain evidence through
o Implementation of system controls • Controls
o Implementation of inherited controls o Implemented correctly
o Assessment of control implementations o Operating as intended
o Producing the desired outcome
23
Lesson 3: Building an Effective Assurance Case and is available free of charge at https://nist.gov/rmf
Evidence
Actions during the development and operation of systems

produce security and privacy evidence
Development Environment Operational Environment

• Functional specifications • Records of remediation actions
• System design documentation • Results of continuous monitoring activities
• Results of testing and code analysis • Results of security incident reporting
(including breaches involving PII)
NOTE
The level of detail in development artifacts can affect the
type of testing, evaluation, and analysis conducted throughout the SDLC
24
Lesson 3: Building an Effective Assurance Case and is available free of charge at https://nist.gov/rmf
Module 2: The Assessment Process
Objectives for this module

• Review how an organization/system and assessment team prepare and plan for an assessment
• Explain the expected outcomes for assessment procedures
• Provide a structure for reporting the assessment findings, recommendations, and results
• Discuss how assessment results are analyzed to inform response actions for reported weaknesses
Prepare for Conduct Security

Develop Security Analyze
Security and and Privacy
and Privacy Assessment
Privacy Control Control
Assessment Plans Report Results
Assessments Assessments

Module 2: The Assessment Process 25
Lesson 1: Prepare for Security and Privacy Control Assessments
System/Organization Preparation
Establish Select
Allocate Provide
Objective and Assessment
Resources Artifacts
Scope Team
Establish
Ensure suitable
Define purpose of organizational Provide secure
technical
the assessment communication access
expertise
channels
Determine
Address
Detail what is required level of Deliver using
assessment cost
being assessed assessor secure transport
issues
independence
Define time frame

for assessment
and milestones
Module 2: The Assessment Process This course is provided by the National Institute of Standards and Technology
26
Lesson 1: Prepare for Control Assessments and is available free of charge at https://nist.gov/rmf
Assessment Team Preparation
Develop
Receive and Identify Points
Assessment
Review Artifacts of Contact
Plan
Include controls
Secure and Organization
from the security
protect artifacts officials
and privacy plans
Understand
Common control Tailor assessment
operations and
providers procedures
architectures
Request
Assessment-
additional
specific contacts
artifacts
27
Lesson 1: Prepare for Control Assessments and is available free of charge at https://nist.gov/rmf
Lesson 2: Develop Security and Privacy Assessment Plans
Steps for Developing Assessment Plans
Develop Finalize
Determine Select and Tailor Optimize
Additional
Controls Assessment
Assessment
Assessment Assessment
to be Assessed Procedures Procedures
Procedures Plan
Obtain Plan
Approval
NOTE
An assessment plan may include objectives and scope, key system and organization
participants and authorities, assessment team members, and logistical details
28
Lesson 2: Develop Assessment Plans and is available free of charge at https://nist.gov/rmf
Determine Controls to be Assessed
Assessor selects the security or privacy controls identified in the

security or privacy plan that support the purpose of the assessment
Determination Steps
• Complete assessment: Select all controls in security or privacy plan
• Partial assessment: Organization defines selection of controls to assess
• Common control assessment:
o Identify inheritable controls supplied by the common control provider
o Select all inheritable controls or organization-defined selection of controls
29
Select and Tailor Assessment Procedures
Assessor selects and tailors the assessment procedures in SP 800-53A

for each control and control enhancement included in the assessment
Tailoring Considerations
• Assessment Methods and Objects
• Depth and Coverage Attributes
• Common Controls and Control Inheritance
• System-, Platform-, or Organization-specific Dependencies
• Reuse of Assessment Evidence
• Adjust for External Providers
NOTE
The tailoring of the assessment procedures is a distinct process
from the tailoring of control baselines discussed in SP 800-53B
30
Develop Additional Assessment Procedures
Assessor develops assessment procedures for controls or control enhancements

not included in the SP 800-53 control catalog
Development Steps
• Organization-specific controls
o Address policies, unique requirements or specific risks that are not addressed
by SP 800-53 controls
• Customize assessment procedures for organization-specific controls
following SP 800-53A guidance
o Assessment objectives and determination statements
o Assessment methods
o Assessment objects
• Include custom assessment procedures in assessment plan
31
Optimize Assessment Procedures
Assessor optimizes the assessment procedures to save time, reduce assessment

costs, and maximize efforts in conducting the assessment
Optimization Considerations
• Combining and consolidating assessment procedures
• Define a sequence for the assessment of controls
• Reuse assessment information for related controls
32
Finalize Assessment Plan
Appropriate organization officials approve the final assessment plan

before the assessment team is authorized to conduct the assessment
Plan Approval Authorities Final Assessment Plan

• System owner • Assessment scope and purpose
• Authorizing official • Assessment procedures
• Other approval authorities • Resources allocated for the assessment
o Common control providers • System participants
o System security officers/privacy officers
o Senior agency information security officers • Assessment team members
o Senior agency officials for privacy • Logistical details
o Assessment Locations
o Schedule and Milestones
33
Lesson 3: Conduct Security and Privacy Control Assessments
Assessment objectives are achieved by applying designated assessment

methods to selected assessment objects
Execute Plan Communication

• Assess implementations against the organization • Maintain the assessment scope
security and privacy requirements, not directly • Facilitates discussions during assessment
to the NIST guidance o Clarify observations
• Compile evidence necessary to make the o Explain weaknesses
o Request additional evidence
determination for each assessment objective
o Collected evidence fully supports findings
34
Lesson 3: Conduct Assessments and is available free of charge at https://nist.gov/rmf
Assessment Findings
Assessment Findings
The execution of a determination statement within an assessment procedure by an assessor that results in
either a satisfied or other than satisfied condition.
Satisfied (S) Other than Satisfied (O)

• For the portion of the control addressed by the • For the portion of the control addressed by the
determination statement, assessor determination statement, assessor:
o Determines that the assessment objective for the o Identifies potential anomalies in the operation or
control has been met and produces a fully implementation
acceptable result o Is unable to obtain sufficient information to make
the determination
o Recommends possible risk responses based on
expertise and technical judgement
35
Report Assessment Findings
Key Elements for Reporting

• System name
Assessment Report • Security categorization
• Documents findings and recommendations • Site(s) assessed and assessment date(s)
• Conveys results of control assessments • Assessor’s name/identification
• Included in the authorization package • Previous assessment results (if reused)
• Control or control enhancement designator
• Selected assessment methods and objects
• Depth and coverage attributes values
• Assessment finding summary
 Indicating “satisfied” or “other than satisfied”
• Assessor comments
NOTE  Weaknesses or deficiencies noted
Governance, Risk, and Compliance (GRC) applications may • Assessor recommendations
support the ability of management to identify broader  Priorities, remediation, corrective actions, or
security and privacy trends across the organization improvements
36
Lesson 4: Analyze Assessment Report Results
Review assessment findings to understand the identified risks and

to determine risk responses
• Update authorization package artifacts

o Security and privacy plans Accept Reduce/Mitigate
o Security and privacy assessment reports
Risk
• Prepare plan of action and milestones (POA&M) Responses
Share/Transfer Avoid
NOTE
Only the authorizing official can accept risk
on behalf of the organization risk management program
37
Lesson 4: Analyze Assessment Report Results and is available free of charge at https://nist.gov/rmf
Related Topics
Assess Security and Privacy Capabilities
Capability
A combination of mutually reinforcing security and/or privacy controls implemented by technical means,
physical means, and procedural means. Such controls are typically selected to achieve a common
information security- or privacy-related purpose.
Benefits of assessing capabilities

Capability • Supports root cause analysis
Security/Privacy Requirements
• Helps define optimization of the resource
expenditures (e.g., frequency and level of effort)
Control 1
Control 2
Control 3
• Adds a level precision in assessments for

supporting the continuous monitoring strategies

Related Topics 38
Related Topics
Ongoing Assessments and Automation Support
Information Security Continuous Monitoring (ISCM)
• Develop continuous monitoring plan for Ongoing Assessment
• Establish processes to quickly identify and respond to
weaknesses
Automation Support for Control Assessments

• Determine what security and privacy controls can be tested using
automated methods
• Understand how automatable testing can be used to understand
the desired state, actual state, and defects of a control
implementation

Related Topics 39
Related Topics
Penetration Testing
Penetration Testing
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or
defeat the security features of a system.
Methodology Rules of Engagement

• Controlled attempt to breach the security and • Specify components subject to penetration
privacy controls employed within the system testing
using the attacker’s techniques and appropriate • Define attacker’s profile to be adopted
hardware and software tools throughout the testing exercises
• Results represent efforts of a specific assessor or • List attack techniques and exploitable
group of assessors at a specific point in time vulnerabilities used during the exercises
using agreed-upon rules of engagement

Related Topics 40
Conclusion
NIST SP 800-53A Key Takeaways

• Assessment verifies that controls are implemented correctly, operating as intended, and
producing the desired outcome
• Assessment plan identifies
o Assessment objectives, potential assessment methods, and potential assessment objects
o Selected and implemented security and privacy controls from the security and privacy plans
o ODP values assigned by the organization in the system security and privacy plan
• Assessment report supports management risk responses and risk decision-making
o Assessor findings are an unbiased, factual reporting of the observed implementation
o Update control implementation details in security plans and privacy plans
o Manage POA&Ms for addressing control weaknesses

41
Supplemental Material
NIST SP 800-53A Publication

• Current revision and supplemental materials:
https://csrc.nist.gov/Projects/risk-management/publications
• Resources for Implementers: https://nist.gov/rmf/sp800-53-controls
• Downloads: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/downloads
NIST SP 800-53 Public Comment Site

• https://nist.gov/rmf/sp800-53-controls
NIST RMF Publications

• https://nist.gov/rmf

42
Additional Resources
NIST Computer Security Resource Center

• https://csrc.nist.gov
Cybersecurity and Privacy Reference Tool (CPRT)

• https://csrc.nist.gov/projects/cprt/catalog#/cprt/home
Open Security Controls Assessment Language (OSCAL)

• https://nist.gov/oscal

43
You have now completed the
Assessing Security and Privacy Controls in
Information Systems and Organizations Introductory Course
Request for Feedback

If you have questions or comments regarding this Additional RMF courses
https://csrc.nist.gov/projects/risk-management/rmf-courses
course, email sec-cert@nist.gov

44

NIST SP 800-53A Introductory Course v1 Download

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NIST SP 800-53A Introductory Course v1 Download

Uploaded by

Copyright:

Available Formats

Assessing Security and Privacy Controls in

Information Systems and Organizations

Based on NIST Special Publication (SP) 800-53A, Assessing Security and

This course is provided by the National Institute of Standards and Technology

This course is provided by the National Institute of Standards and Technology

Completing the entire course should take approximately 60 minutes

This course is provided by the National Institute of Standards and Technology

This course is provided by the National Institute of Standards and Technology

Target audience for this course

• Individuals responsible for validating the effectiveness of the

• Key participants responsible for security and privacy risk

This course is provided by the National Institute of Standards and Technology

What is a control assessment?

 Not a compliance checklist or pass/fail paperwork

This course is provided by the National Institute of Standards and Technology

This course is provided by the National Institute of Standards and Technology

Objectives for this module

This course is provided by the National Institute of Standards and Technology

Objects Methods Objectives

Potential Assessment Objects Potential Assessment Methods Assessment Objectives

Potential Assessment Methods

Potential Assessment Objects

Analogy: medical check-up

CM-02_ODP[01] the frequency of baseline conﬁguration review and update is

ODP MP-07_ODP[03] systems or system components on which the use of speciﬁc

MP-07b. the use of portable storage devices in organizational

Publication guidance and assessment procedure changes are based on

• Ensure that important organizational information, including personally identifiable information,

Building an Assurance Case Assurance Case Demonstrates

Actions during the development and operation of systems

Development Environment Operational Environment

Objectives for this module

Prepare for Conduct Security

This course is provided by the National Institute of Standards and Technology

Define time frame

Assessor selects the security or privacy controls identified in the

Assessor selects and tailors the assessment procedures in SP 800-53A

Assessor develops assessment procedures for controls or control enhancements

Assessor optimizes the assessment procedures to save time, reduce assessment

Appropriate organization officials approve the final assessment plan

Plan Approval Authorities Final Assessment Plan

Assessment objectives are achieved by applying designated assessment

Execute Plan Communication

Satisfied (S) Other than Satisfied (O)

Key Elements for Reporting

Review assessment findings to understand the identified risks and

• Update authorization package artifacts

Benefits of assessing capabilities

• Adds a level precision in assessments for

This course is provided by the National Institute of Standards and Technology

Automation Support for Control Assessments

This course is provided by the National Institute of Standards and Technology

Methodology Rules of Engagement

This course is provided by the National Institute of Standards and Technology

NIST SP 800-53A Key Takeaways

This course is provided by the National Institute of Standards and Technology

NIST SP 800-53A Publication

NIST SP 800-53 Public Comment Site

NIST RMF Publications

This course is provided by the National Institute of Standards and Technology

NIST Computer Security Resource Center

Cybersecurity and Privacy Reference Tool (CPRT)

Open Security Controls Assessment Language (OSCAL)