NIST, Computer Security Division, Computer Security Resource Center
Assessment Cases for Special Publication 800-53A
Initial Public Draft
COMMENTS REQUESTED
The Initial Public Draft (IPD) of the assessment cases is offered for public comment. Your comments and feedback are important to improving the applicability and usefulness of assessment cases in meeting the needs of our customers. Reviewers are asked to comment on both specific action steps within each assessment case and on cross-case consistency. Comments on the IPD Assessment Cases should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov.
BACKGROUND
The Assessment Case Project represents the efforts of an inter-agency workgroup lead by the Department of Justice (DOJ) with representatives from National Institute of Standards and Technology (NIST), Department of Energy (DOE), Department of Transportation (DOT), and Office of the Director of National Intelligence Office CIO (ODNI-CIO). The purpose of this activity was to provide a multi-agency recommendation for the specific actions an assessor might perform in order to obtain the evidence necessary for making the determinations identified in the assessment procedures in NIST Special Publication 800-53A. These assessment procedures have been developed by NIST to assist organizations in determining the effectiveness of the security controls in their information systems. Security controls are defined in NIST Special Publication 800-53.
The intent of the assessment case is to provide helpful information and purposefully not to limit the flexibility of an assessor in applying his or her own judgment as to the ‘right’ set of assessor actions to assess a control in a specific information system or organization. Rather, the assessment cases provide worked examples for organizations to use in developing their assessment plans.
ASSESSMENT CASE OVERVIEW
The assessment case supplements the information from SP 800-53A by adding two sections, “Potential Assessment Sequencing” and “Potential Assessor Evidence Gathering Actions”. These sections are described below. In addition, the assessment case authors provided “Notes to the Assessor” with information the working group felt may be helpful to better understand the intent of the control or to more efficiently or effectively assess the control.
Potential Assessment Sequencing
The purpose of this section is to help facilitate more efficient, and hence cost-effective, assessment by identifying other control assessments, the sequence of which should be considered with regard to the assessment of this control. Specifically this section provides guidance on the following:
| Precursor Controls: | Controls that should be assessed prior to assessing this control. That is, controls, the assessment of which will likely produce information either required in order to make the determinations of this assessment, or helpful in doing so. |
| Concurrent Controls: | Controls whose assessments involve applying the same method to the same object (or objects) as this assessment. That is, the potential for cost-savings by accomplishing the information gathering for multiple assessment cases in one application of the assessment method to a set of objects. |
| Successor Controls: | Controls that should be assessed after assessing this control. That is, controls, the assessment of which will likely either require, or find helpful, the information from this assessment. |
Potential Assessor Evidence Gathering Actions
The purpose for this section is to provide the set of assessment methods (examine, interview, or test) and associated objects that will cost-effectively enable making the required determinations. For each determination to be made, a series of ‘Assessor Action Steps’ is identified. Each action step is the application of an identified assessment method to an identified set of objects; and includes both an indication of the level of rigor to be applied and the specific information to be obtained from that action step. These action steps represent the consensus of an inter-agency working group as to a set of methods and objects (drawing from perhaps the broader set of ‘Potential’ Methods and Objects identified in SP 800-53A) that are likely to be sufficient and cost-effective in gathering the information needed to make the required determinations.
The action verbs identified in SP 800-53A, Appendix D, in the definition of the examine method are employed in the Action Steps of the Assessment Cases to indicate level of rigor as follows:
Examine documentation –‘reading’:
Review is used for the ‘generalized’ level of rigor; that is, a high-level examination looking for required content and for any obvious errors, omissions, or inconsistencies.
Study is used for the ‘focused’ level of rigor; that is, an examination that includes the intent of ‘review’ and adds a more in-depth examination for greater evidence to support a determination of whether the document has the required content and is free of errors, omissions, and inconsistencies.
Analyze is used for the ‘detailed’ level of rigor; that is, an examination that includes the intent of both ‘review’ and ‘study’; adding a thorough and detailed analysis for significant grounds for confidence in the determination of whether required content is present and the document is correct, complete, and consistent.
Examine activities and mechanisms – ‘watching’:
Observe is used for the ‘generalized’ level of rigor; that is, watching the execution of an activity or process or looking directly at a mechanism (as opposed to reading documentation produced by someone other than the assessor about that mechanism) for the purpose of seeing whether the activity or mechanism appears to operate as intended (or in the case of a mechanism, perhaps is configured as intended) and whether there are any obvious errors, omissions, or inconsistencies in the operation or configuration.
Inspect is used for the ‘focused’ level of rigor; that is, adding to the watching associated with ‘observe’ an active investigation to gain further grounds for confidence in the determination of whether that the activity or mechanism is operating as intended and is free of errors, omissions, or inconsistencies.
Analyze, while not currently used in the assessment cases for activities and mechanisms, is available for use for the ‘detailed’ level of rigor; that is, adding to the watching and investigation of ‘observe’ and ‘inspect’ a thorough and detailed analysis of the information to develop significant grounds for confidence in the determination as to whether the activity or mechanism is operating as intended and is free of errors, omissions, or inconsistencies. Analysis achieves this by both leading to further observations and inspections and by a greater understanding of the information obtained from the examination.