Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
by James Broad
Risk Management Framework
- Cover image
- Title page
- Table of Contents
- Copyright page
- Dedication
- Acknowledgments
- About the Author
- Technical Editor
- Companion Website
- Chapter 1: Introduction
- Part 1
- Introduction
- Chapter 2: Laws, Regulations, and Guidance
- Chapter 3: Integrated Organization-Wide Risk Management
- Chapter 4: The Joint Task Force Transformation Initiative
- Chapter 5: System Development Life Cycle (SDLC)
- Chapter 6: Transitioning from the C&A Process to RMF
- Chapter 7: Key Positions and Roles
- Part 2
- Introduction
- Chapter 8: Lab Organization
- Chapter 9: RMF Phase 1: Categorize the Information System
- Chapter 10: RMF Phase 2: Selecting Security Controls
- Chapter 11: RMF Phase 3: Implementing Security Controls
- Chapter 12: RMF Phase 4: Assess Security Controls
- Chapter 13: RMF Phase 5: Authorizing the Information System
- Abstract
- Chapter Overview and Key Learning Points
- Phase 5, Task 1: Developing the Plan of Action and Milestones (POA&M)
- Phase 5, Task 2: Assembly of the Authorization Package
- Phase 5, Task 3: Determining Risk
- Phase 5, Task 4: Accepting Risk
- Chapter 13 Lab Exercises: Authorizing the Information System
- Chapter 14: RMF Phase 6: Monitoring Security Controls
- Abstract
- Chapter Overview and Key Learning Points
- Phase 6, Task 1: Monitoring Information System and Environment Changes
- Phase 6, Task 2: Ongoing Security Control Assessment
- Phase 6, Task 3: Ongoing Remediation Actions
- Phase 6, Task 4: Updating the Security Documentation
- Phase 6, Task 5: Security Status Reporting
- Phase 6, Task 6: Ongoing Risk Determination and Acceptance
- Phase 6, Task 7: System Removal and Decommissioning
- Chapter 14 Lab Exercises: Monitoring Security Controls
- Chapter 15: The Expansion of the RMF
- Appendix A: Answers to Exercises in Chapters 9 through 14
- Appendix B: Control Families and Classes
- Appendix C: Security Control Assessment Requirements
- Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
- Glossary
- Common Acronyms in this Book
- References
- Index
Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
The following paragraphs are reproduced from NIST SP 800-53A Revision 1. This appendix can assist the security control assessor with defining the depth and coverage required for the assessment of each security control. It is recommended that the reader verify that this information is accurate and up to date by validating it on the NIST website.
ASSESSMENT METHOD: Examine
ASSESSMENT OBJECTS: Specifications (e.g., policies, plans, procedures, system requirements, designs)
Mechanisms (e.g., functionality implemented in hardware, software, firmware)
Activities (e.g., system operations, administration, management, exercises)
DEFINITION: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control existence, functionality, correctness, completeness, and potential for improvement over time.
SUPPLEMENTAL GUIDANCE: Typical assessor actions may include, for example: reviewing information security policies, plans, and procedures; analyzing system design documentation and interface specifications; observing system backup operations, reviewing the results of contingency plan exercises; observing incident response activities; studying technical manuals and user/administrator guides; checking, studying, or observing the operation of an information technology mechanism in the information system hardware/software; or checking, studying, or observing physical security measures related to the operation of an information system.
ATTRIBUTES: Depth, Coverage
• The depth attribute addresses the rigor of and level of detail in the examination process. There are three possible values for the depth attribute: (i) basic; (ii) focused; and (iii) comprehensive.
• Basic examination: Examination that consists of high-level reviews, checks, observations, or inspections of the assessment object. This type of examination is conducted using a limited body of evidence or documentation (e.g., functional-level descriptions for mechanisms; high-level process descriptions for activities; and actual documents for specifications). Basic examinations provide a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors.
• Focused examination: Examination that consists of high-level reviews, checks, observations, or inspections and more in depth studies/analyses of the assessment object. This type of examination is conducted using a substantial body of evidence or documentation (e.g., functional-level descriptions and where appropriate and available, high-level design information for mechanisms; high-level process descriptions and implementation procedures for activities; and the actual documents and related documents for specifications). Focused examinations provide a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors and whether there are increased grounds for confidence that the control is implemented correctly and operating as intended.
• Comprehensive examination: Examination that consists of high-level reviews, checks, observations, or inspections and more in depth, detailed, and thorough studies/analyses of the assessment object. This type of examination is conducted using an extensive body of evidence or documentation (e.g., functional-level descriptions and where appropriate and available, high-level design information, low-level design information, and implementation information for mechanisms; high-level process descriptions and detailed implementation procedures for activities; and the actual documents and related documents for specifications).1 Comprehensive examinations provide a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors and whether there are further increased grounds for confidence that the control is implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control.
• The coverage attribute addresses the scope or breadth of the examination process and includes the types of assessment objects to be examined, the number of objects to be examined (by type), and specific objects to be examined. There are three possible values for the coverage attribute: (i) basic, (ii) focused, and (iii) comprehensive.
• Basic examination: Examination that uses a representative sample of assessment objects (by type and number within type) to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors.
• Focused examination: Examination that uses a representative sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors and whether there are increased grounds for confidence that the control is implemented correctly and operating as intended.
• Comprehensive examination: Examination that uses a sufficiently large sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors and whether there are further increased grounds for confidence that the control is implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control.
ASSESSMENT METHOD: Interview
ASSESSMENT OBJECTS: Individuals or groups of individuals.
DEFINITION: The process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control existence, functionality, correctness, completeness, and potential for improvement over time.
SUPPLEMENTAL GUIDANCE: Typical assessor actions may include, for example, interviewing agency heads, chief information officers, senior agency information security officers, authorizing officials, information owners, information system and mission owners, information system security officers, information system security managers, personnel officers, human resource managers, facilities managers, training officers, information system operators, network and system administrators, site managers, physical security officers, and users.
ATTRIBUTES: Depth, Coverage
• The depth attribute addresses the rigor of and level of detail in the interview process. There are three possible values for the depth attribute: (i) basic; (ii) focused; and (iii) comprehensive.
• Basic interview: Interview that consists of broad-based, high-level discussions with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions. Basic interviews provide a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors.
• Focused interview: Interview that consists of broad-based, high-level discussions and more in depth discussions in specific areas with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions and more in depth questions in specific areas where responses indicate a need for more in depth investigation. Focused interviews provide a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors and whether there are increased grounds for confidence that the control is implemented correctly and operating as intended.
• Comprehensive interview: Interview that consists of broad-based, high-level discussions and more in depth, probing discussions in specific areas with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions and more in depth, probing questions in specific areas where responses indicate a need for more in depth investigation. Comprehensive interviews provide a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors and whether there are further increased grounds for confidence that the control is implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control.
• The coverage attribute addresses the scope or breadth of the interview process and includes the types of individuals to be interviewed (by organizational role and associated responsibility), the number of individuals to be interviewed (by type), and specific individuals to be interviewed.2 There are three possible values for the coverage attribute: (i) basic, (ii) focused; and (iii) comprehensive.
• Basic interview: Interview that uses a representative sample of individuals in key organizational roles to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors.
• Focused interview: Interview that uses a representative sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors and whether there are increased grounds for confidence that the control is implemented correctly and operating as intended.
• Comprehensive interview: Interview that uses a sufficiently large sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors and whether there are further increased grounds for confidence that the control is implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control.
ASSESSMENT METHOD: Test
ASSESSMENT OBJECTS: Mechanisms (e.g., hardware, software, firmware) Activities (e.g., system operations, administration, management; exercises)
DEFINITION: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security control existence, functionality, correctness, completeness, and potential for improvement over time.3
SUPPLEMENTAL GUIDANCE: Typical assessor actions may include, for example: testing access control, identification and authentication, and audit mechanisms; testing security configuration settings; testing physical access control devices; conducting penetration testing of key information system components; testing information system backup operations; testing incident response capability; and exercising contingency planning capability.
ATTRIBUTES: Depth, Coverage
• The depth attribute addresses the types of testing to be conducted. There are three possible values for the depth attribute: (i) basic testing; (ii) focused testing; and (iii) comprehensive testing.
• Basic testing: Test methodology (also known as black box testing) that assumes no knowledge of the internal structure and implementation detail of the assessment object. This type of testing is conducted using a functional specification for mechanisms and a high-level process description for activities. Basic testing provides a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors.
• Focused testing: Test methodology (also known as gray box testing) that assumes some knowledge of the internal structure and implementation detail of the assessment object. This type of testing is conducted using a functional specification and limited system architectural information (e.g., high-level design) for mechanisms and a high-level process description and high-level description of integration into the operational environment for activities. Focused testing provides a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors and whether there are increased grounds for confidence that the control is implemented correctly and operating as intended.
• Comprehensive testing: Test methodology (also known as white box testing) that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. This type of testing is conducted using a functional specification, extensive system architectural information (e.g., high-level design, low-level design) and implementation representation (e.g., source code, schematics) for mechanisms and a high-level process description and detailed description of integration into the operational environment for activities. Comprehensive testing provides a level of understanding of the security control necessary for determining whether the control is implemented and free of obvious errors and whether there are further increased grounds for confidence that the control is implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control.
• The coverage attribute addresses the scope or breadth of the testing process and includes the types of assessment objects to be tested, the number of objects to be tested (by type), and specific objects to be tested.4 There are three possible values for the coverage attribute: (i) basic; (ii) focused; and (iii) comprehensive.
• Basic testing: Testing that uses a representative sample of assessment objects (by type and number within type) to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors.
• Focused testing: Testing that uses a representative sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors and whether there are increased grounds for confidence that the control is implemented correctly and operating as intended.
• Comprehensive testing: Testing that uses a sufficiently large sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security control is implemented and free of obvious errors and whether there are further increased grounds for confidence that the control is implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the control.
1 While additional documentation is likely for mechanisms when moving from basic to focused to comprehensive examinations, the documentation associated with specifications and activities may be the same or similar for focused and comprehensive examinations, with the rigor of the examinations of these documents being increased at the comprehensive level.
2 The organization, considering a variety of factors (e.g., available resources, importance of the assessment, the organization’s overall assessment goals and objectives), confers with assessors and provides direction on the type, number, and specific individuals to be interviewed for the particular attribute value described.
3 Testing is typically used to determine if mechanisms or activities meet a set of predefined specifications. Testing can also be performed to determine characteristics of a security control that are not commonly associated with predefined specifications, with an example of such testing being penetration testing. Guidelines for conducting penetration testing are provided in Appendix E.
4 The organization, considering a variety of factors (e.g., available resources, importance of the assessment, the organization’s overall assessment goals and objectives), confers with assessors and provides direction on the type, number, and specific objects to be tested for the particular attribute value described. For mechanism-related testing, the coverage attribute also addresses the extent of the testing conducted (e.g., for software, the number of test cases and modules tested; for hardware, the range of inputs, number of components tested, and range of environmental factors over which the testing is conducted).
-
No Comment