800-53a - Assessing Security and Privacy Controls in Information Systems

Security and privacy assessments can be carried out throughout system development life cycle phases to increase grounds for confidence that the security and privacy controls employed within or inherited by a system are effective in their application.

Security and privacy assessments conducted in pre-operational system development life cycle phases include design and code reviews, application scanning, regression testing, and ensuring that applicable laws and policies are adhered to and that privacy protections are embedded in the design of the system.

Security and privacy-related weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and cost-effectively than deficiencies identified in subsequent phases of the life cycle.

Security and privacy assessments are also conducted during the operations and maintenance phase of the life cycle to ensure that the controls continue to be effective in the operational environment and protect against constantly evolving risks.

Finally, at the end of the life cycle, security and privacy assessments are conducted to ensure that important organizational information, including personally identifiable information, are purged from the system prior to disposal and organizational retention schedules are adhered to.

Maximizing the number of common controls employed within an organization significantly reduces the costs of development, implementation, and assessment of security and privacy controls; allows organizations to centralize and automate control assessments and amortize the cost of those assessments across all systems in the organization; and increases the consistency of security and privacy control implementations.

Product assessments (also known as product testing, evaluation, and validation) are typically conducted by independent, third-party testing organizations. Assessments examine the security and privacy functions of products and established configuration settings. Assessments can be conducted to demonstrate compliance with industry, national, or international information security and privacy standards and developer/vendor claims.

System and common control assessments are used to compile and evaluate the evidence needed by organizational officials to determine how effectively the security and privacy controls employed in systems mitigate risks to organizational operations and assets.

System developers can increase the strength of security and privacy functionality by employing well-defined security and privacy policies and procedures, structured and rigorous design and development techniques, and sound system, security, and privacy engineering techniques as part of the system development process.

The depth and coverage of security and privacy evidence can affect the level of assurance in the functionality implemented. Depth and coverage are attributes associated with assessment methods and the generation of security and privacy evidence.

An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. An assessment objective includes one or more determination statements related to the SP 800-53 control under review. The determination statements are linked to the content of the control.

Assessment objects identify the specific items being assessed as part of a given control and include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, plans, system security and privacy requirements, functional specifications, architectural designs) associated with a system or common control. Mechanisms are the specific hardware, software, or firmware safeguards and countermeasures employed within a system or common control.

Activities are the specific protection-related actions supporting a system or common control that involve people (e.g., conducting system backup operations, monitoring network traffic, exercising a contingency plan). Individuals or groups of individuals are people applying the specifications, mechanisms, or activities described above.

Assessment methods define the nature of the assessor actions and include examine, interview, and test.

• The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities) to facilitate assessor understanding, achieve clarification, or obtain evidence.

• The interview method is the process of discussions with individuals or groups of individuals within an organization to facilitate assessor understanding, achieve clarification, or obtain evidence.

• The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare the actual state of the object to the desired state or expected behavior of the object.

Assessment methods have a set of associated attributes – depth and coverage – which help define the level of effort for the assessment. The depth attribute addresses the rigor and level of detail in the examination, interview, and testing processes. Values for the depth attribute include basic, focused, and comprehensive.

The coverage attribute addresses the scope or breadth of the examination, interview, and testing processes, including the number and types of specifications, mechanisms, and activities to be examined or tested and individuals to be interviewed. Similar to the depth attribute, values for the coverage attribute include basic, focused, and comprehensive.

The following steps are considered by assessors when developing plans to assess the security and privacy controls in organizational systems or common controls available for inheritance:

• Determine which security and privacy controls/control enhancements are to be included in assessments based on the contents of the security plan and privacy plan

• Select the appropriate assessment procedures to be used

• Tailor the selected assessment procedures (e.g., select appropriate assessment methods and objects, and assign depth and coverage attribute values).

• Develop additional assessment procedures to address any security requirements or controls that are not covered by [SP 800-53].

• Optimize the assessment procedures to reduce duplication of effort (e.g., sequencing and consolidating assessment procedures) and provide cost-effective assessment solutions, and

• Finalize assessment plans and obtain the necessary approvals to execute the plans.

During the initial phases of the system development life cycle, specific controls may be selected for assessment to promote the early detection of weakness and deficiencies and a more cost-effective approach to risk response. After the initial authorization to operate has been granted, assessments may be necessary when changes are made to the system, specific security or privacy controls, common controls, or the environment of operation. In such cases, the focus of the assessment is on the controls that may have been affected by the change.

For each control in the security plan and privacy plan to be included in the assessment, assessors select the corresponding assessment procedure. The selected assessment procedures can vary from assessment to assessment based on the current content of the security plans and privacy plans and the purpose of the assessment (e.g., complete assessment, partial assessment, common control assessment).

The assessment methods and objects chosen are those deemed necessary to produce the evidence needed to make the determinations described in the determination statements in support of assurance requirements and the associated management of risk.

The quality of assessment results is based on the soundness of the rationale provided for selecting the methods and objects, not the specific set of methods and objects applied. It is not necessary, in most cases, to apply every assessment method to every assessment object to obtain the desired assurance.

The system owner is not responsible for assessing common controls or the inherited portion of hybrid controls. Common controls are assessed separately and are not reassessed at the system level by each system that inherits them. However, the assessor verifies if the system does, in fact, inherit and utilize the common control as indicated in the system security plans and privacy plans.

To save time, reduce assessment costs, and maximize the usefulness of assessment results, assessors review the selected assessment procedures for the control families and combine or consolidate the procedures (or parts of procedures) whenever possible or practicable.

Assessment objectives are achieved by applying the designated assessment methods to selected assessment objects and compiling or producing the evidence necessary to make the determination associated with each assessment objective. Each determination statement contained within an assessment procedure executed by an assessor produces one of the following findings: • satisfied (S); or • other than satisfied (O).

A finding of “satisfied” indicates that – for the portion of the control addressed by the determination statement – the assessment objective for the control has been met and produces a fully acceptable result.

A finding of “other than satisfied” indicates – for the portion of the control addressed by the determination statement – potential anomalies in the operation or implementation of the control that may need to be addressed by the organization.

Risk determination and acceptance activities are conducted by the organization postassessment as part of the risk management strategy established by the organization. Postassessment risk management activities involve the senior leadership of the organization.

The assessment results produced by the assessor (i.e., findings of “satisfied” or “other than satisfied”, identification of the parts of the security or privacy control that did not produce a satisfactory result, and a description of resulting potential for compromises to the system or its environment of operation) are provided to system owners and common control providers; System owners or common control providers may choose to act on selected recommendations of the assessor before the assessment reports are finalized. Security or privacy controls that are modified, enhanced, or added during this process are reassessed by the assessor prior to the production of the final assessment reports.

The results of control assessments ultimately influence control implementations, the content of security plans and privacy plans, and the respective plans of action and milestones. Accordingly, system owners and common control providers review the security assessment reports and determine the appropriate steps required to respond to those weaknesses and deficiencies identified during the assessment.

By employing the capability concept, organizations can obtain greater visibility into and a better understanding of the relationships (i.e., dependencies) among controls, the effects of specific control failures on organization-defined capabilities, and the potential severity of control weaknesses.

Traditionally, assessments have been conducted on a control-by-control basis and produce results that are characterized as pass (i.e., control satisfied) or fail (i.e., control not satisfied). However, the failure of a single control or, in some cases, the failure of multiple controls may not affect the overall security and privacy capability required by an organization.

Assessment Method: Examine Assessment Objects:

• Specifications: (e.g., policies, plans, procedures, system requirements, designs)

• Mechanisms: (e.g., functionality implemented in hardware, software, firmware)

• Activities: (e.g., system operations, administration, management, exercises)

Definition: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security and privacy control existence, functionality, correctness, completeness, and potential for improvement over time.

Supplemental guidance: Typical assessor actions may include reviewing information security and privacy policies, plans, and procedures; analyzing system design documentation and interface specifications; observing system backup operations; reviewing the results of contingency plan exercises; observing incident response activities; studying technical manuals and user/administrator guides; checking, studying, or observing the operation of an information technology mechanism in the system hardware and software; or checking, studying, or observing physical security or privacy measures related to the operation of a system.

The depth attribute addresses the rigor of and level of detail in the examination process.

There are three possible values for the depth attribute: basic, focused, and comprehensive.

Comprehensive examination consists of high-level reviews, checks, observations, or inspections and more in-depth, detailed, and thorough studies/analyses of the assessment object. The comprehensive examination is conducted using an extensive body of evidence or documentation (e.g., functional-level descriptions and, where appropriate and available, high-level design information, low-level design information, and implementation information for mechanisms; high-level process descriptions and detailed implementation procedures for activities; the actual documents and related documents for specifications). Comprehensive examinations provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors, there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and there is support for continuous improvement in the effectiveness of the controls.

The coverage attribute addresses the scope or breadth of the examination process and includes the types of assessment objects to be examined, the number of objects to be examined (by type), and specific objects to be examined. There are three possible values for the coverage attribute: basic, focused, and comprehensive.

Comprehensive examination uses a sufficiently large sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective to provide the level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors, there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and there is support for continuous improvement in the effectiveness of the controls.

Assessment Method: Interview

Assessment Objects: Individuals or groups of individuals

Definition: The process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security and privacy control existence, functionality, correctness, completeness, and potential for improvement over time.

The depth attribute addresses the rigor of and level of detail in the interview process.

Comprehensive interview consists of broad-based, high-level discussions and more indepth, probing discussions in specific areas with individuals or groups of individuals. The comprehensive interview is conducted using a set of generalized, high-level questions and more in-depth, probing questions where the need for greater assurance or where responses indicate a need for more in-depth investigation.

Comprehensive interviews provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors, there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and there is support for continuous improvement in the effectiveness of the controls.

The coverage attribute addresses the scope or breadth of the interview process and includes the types of individuals to be interviewed (by organizational role and associated responsibility), the number of individuals to be interviewed (by type), and specific individuals to be interviewed.

Comprehensive interview that uses a sufficiently large sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide the level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors, there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and there is support for continuous improvement in the effectiveness of the controls.

Assessment Method: Test Assessment Objects:

• Mechanisms (e.g., hardware, software, firmware)

• Activities (e.g., system operations, administration, management, exercises)

Definition: The process of exercising one or more assessment objects under specified conditions to compare actual with expected/ desired behavior, the results of which are used to support the determination of security and privacy control existence, functionality, correctness, completeness, and potential for improvement over time.

Supplemental guidance: Typical assessor actions may include testing access control, identification and authentication, and audit mechanisms; testing security and privacy configuration settings; testing physical access control devices; conducting penetration testing of key system components; testing system backup operations; testing the incident response capability; and exercising the contingency planning capability.

The depth attribute addresses the types of testing to be conducted. Comprehensive testing: Test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is conducted using a functional specification, extensive system architectural information (e.g., high-level design, low-level design), implementation representation (e.g., source code, schematics) for mechanisms, and a high-level process description and detailed description of integration into the operational environment for activities.

Comprehensive testing provides a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors, there are further increased grounds for confidence that the are implemented correctly and operating as intended on an ongoing and consistent basis, and there is support for continuous improvement in the effectiveness of the controls.

The coverage attribute addresses the scope or breadth of the testing process and includes the types of assessment objects to be tested, the number of objects to be tested (by type), and specific objects to be tested.

Comprehensive testing that uses a sufficiently large sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective to provide the level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors, there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and there is support for continuous improvement in the effectiveness of the controls.

Penetration testing is a specific type of assessment in which assessors simulate the actions of a given class of attacker by using a defined set of documentation (i.e., documentation representative of what that class of attacker is likely to possess) and working under other specific constraints to attempt to circumvent the security or privacy features of a system.

Penetration testing can be viewed not as a means to verify the security and privacy features of a system but rather as a means to enhance the organization’s understanding of the system, uncover weaknesses or deficiencies in the system, and indicate the level of effort required on the part of adversaries to breach the system’s safeguards.

The information obtained from the penetration testing process can be shared with appropriate personnel throughout the organization to help prioritize the vulnerabilities in the system that are demonstrably subject to compromise by attackers of a profile equivalent to the ones used in the penetration testing exercises.

An effective penetration test:

• Goes beyond vulnerability scanning to provide explicit proof of mission risks and an indicator of the level of effort that an adversary would need to expend in order to cause harm to the organization’s operations and assets.

• Approaches the system as the adversary would – considering vulnerabilities, incorrect system configurations, trust relationships between organizations, and architectural weaknesses in the environment being tested.

Has a clearly defined scope and contains as a minimum:

• A definition of the environment subject to testing (e.g., facilities, users, organizational groups)

• A definition of the attack surface to be tested (e.g., servers, desktop systems, wireless networks, web applications, intrusion detection and prevention systems, firewalls, email accounts, user security and privacy awareness and training posture, and incident response posture, including breaches of personally identifiable information)

• A definition of the threat sources to simulate (e.g., an enumeration of attackers’ profiles to be used, such as an internal attacker, casual attacker, single or group of external targeted attackers, nation/state actor, or criminal organization)

• A definition of the objectives for the simulated attacker (e.g., gain domain administrator access on the organization’s LDAP [Lightweight Directory Access Protocol] structure and access and modify information in the organization’s financial system)

• A definition of level of effort (e.g., time and resources) to be expended

• A definition of the rules of engagement

• Thoroughly documents all activities performed during the test, including all exploited vulnerabilities and how the vulnerabilities were combined into attacks

• Produces results indicating a likelihood of for a given attack by using the level of effort that the team needed to expend to penetrate the system as an indicator of the penetration resistance of the system

• Validates existing security and privacy controls (including risk mitigation mechanisms, such as firewalls and intrusion detection and prevention systems)

• Provides a verifiable and reproducible log of all the activities performed during the test

• Provides actionable results with information about possible remediation measures for the successful attacks performed.