NIST SP 800-53A
.pdf
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
APPENDIX F
ASSESSMENT PROCEDURE CATALOG
OBJECTIVES, METHODS, AND OBJECTS FOR ASSESSING SECURITY CONTROLS
This appendix provides a catalog of procedures to assess the security controls and control enhancements in Special Publication 800-53.49 Assessors select assessment procedures from the catalog in accordance with the guidance provided in Section 3.2. Since the
contents of the security plan affect the development of the security assessment plan and the assessment, there will likely be assessment procedures in the catalog that assessors will not use because: (i) the associated security controls or control enhancements are not contained in the security plan for the information system;50 or (ii) the security controls or control enhancements are not being assessed at this particular time (e.g., during an assessment of a subset of the controls as part of continuous monitoring activities).
The same assessment object may appear in multiple object lists in a variety of assessment procedures. The same object may be used in multiple contexts to obtain needed information or evidence for a particular aspect of an assessment. Assessors use the general references as appropriate to obtain the necessary information to make the specified determinations required by the assessment objective. For example, a reference to access control policy appears in the assessment procedures for AC-2 and AC-7. For assessment procedure AC-2, assessors use the access control policy to find information about that portion of the policy that addresses account management for the information system. For assessment procedure AC-7, assessors use the access control policy to find information about that portion of the policy that addresses unsuccessful login attempts for the information system.
Assessors are responsible for combining and consolidating the assessment procedures whenever possible or practical. Optimizing assessment procedures can save time, reduce assessment costs, and maximize the usefulness of assessment results. Assessors optimize assessment procedures by determining the best sequencing of the procedures. The assessment of some security controls before others may provide information that facilitates understanding and assessment of other controls.
49In the event of any differences between the assessment objectives identified for assessing the security controls and the underlining intent expressed by the security control statements defined in the most recent version of Special Publication 800-53, Special Publication 800-53 remains the definitive expression of the control or enhancement.
50The execution of the RMF includes the selection of an initial set of security controls employed within or inherited by an organizational information system followed by a control tailoring and supplementation process. The tailoring and supplementation process will likely change the set of security controls that will be contained in the final security plan. Therefore, the selection of assessment procedures from the catalog of available procedures is based solely on the content of the security plan after the tailoring and supplementation activities are completed.
APPENDIX F |
PAGE F-1 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
Implementation Tips
TIP #1: Select only those assessment procedures from Appendix F that correspond to the security controls and control enhancements in the approved security plan and that are to be included in the assessment.
TIP #2: The assessment procedures selected from Appendix F are simply example procedures that serve as a starting point for organizations preparing for assessments. These assessment procedures are tailored and supplemented as necessary, in accordance with the guidance in Section 3.2 to adapt the procedures to specific organizational requirements and operating environments.
TIP #3: With respect to the assessment procedures in Appendix F, assessors need apply only those procedures, methods, and objects necessary for making a final determination that a particular security control objective is satisfied or not satisfied (see Section 3.3).
TIP #4: Assessors apply to each assessment method, values for depth and coverage (described in Appendix D) that are commensurate with the characteristics of the information system (including assurance requirements) and the specific assessment activity that supports making a determination of the effectiveness of the security controls under review. The values selected for the depth and coverage attributes indicate the relative effort required in applying an assessment method to an assessment object (i.e., the rigor and scope of the activities associated with the assessment). The depth and coverage attributes, while not repeated in every assessment procedure in this appendix, can be represented as follows:
Interview: [ASSIGN ATTRIBUTE VALUES: <depth>, <coverage>].
[SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
TIP #5: Assessors may find useful assessment-related information in the Supplemental Guidance section of each security control described in Special Publication 800-53. This information can be used to carry out more effective assessments with regard to the application of assessment procedures.
Note: When assessing agency compliance with NIST guidance, auditors, Inspectors General, evaluators, and/or assessors consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions.
APPENDIX F |
PAGE F-2 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
REMINDER
Whereas a set of potential assessment methods have been included in the following catalog of assessment procedures, these are not intended to be mandatory or exclusive and, depending on the particular circumstances of the information system to be assessed, not all methods may be required or other assessment methods may also be used. In addition, the potential assessment objects listed are not intended to be a mandatory set, but rather a set from which the necessary and sufficient set of objects for a given assessment can be selected to make the appropriate determinations. For specific recommendations regarding current best practices for security control assessments, organizations can consult the assessment case development project described in Appendix H and the assessment cases listed on the NIST Web site.
APPENDIX F |
PAGE F-3 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: ACCESS CONTROL |
CLASS: TECHNICAL |
|||
|
|
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
||
AC-1 |
ACCESS CONTROL POLICY AND PROCEDURES |
|
||
|
|
|
||
AC-1.1 |
ASSESSMENT OBJECTIVE: |
|
||
|
Determine if: |
|
||
|
(i) |
the organization develops and formally documents access control policy; |
||
|
(ii) |
the organization access control policy addresses: |
||
|
|
- |
purpose; |
|
|
|
- |
scope; |
|
|
|
- |
roles and responsibilities; |
|
|
|
- |
management commitment; |
|
|
|
- |
coordination among organizational entities; |
and |
|
|
- |
compliance; |
|
|
(iii) |
the organization disseminates formal documented access control policy to elements |
||
|
|
within the organization having associated access control roles and responsibilities; |
||
|
(iv) |
the organization develops and formally documents access control procedures; |
||
|
(v) |
the organization access control procedures facilitate implementation of the access |
||
|
|
control policy and associated access controls; and |
||
|
(vi) |
the organization disseminates formal documented access control procedures to |
||
|
|
elements within the organization having associated access control roles and |
||
|
|
responsibilities. |
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
||
|
Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records]. |
|||
|
Interview: [SELECT FROM: Organizational personnel with access control responsibilities]. |
|||
|
|
|
||
AC-1.2 |
ASSESSMENT OBJECTIVE: |
|
||
|
Determine if: |
|
||
|
(i) |
the organization defines the frequency of access control policy reviews/updates; |
||
|
(ii) |
the organization reviews/updates access control policy in accordance with |
||
|
|
organization-defined frequency; |
|
|
|
(iii) |
the organization defines the frequency of access control procedure reviews/updates; |
||
|
|
and |
|
|
|
(iv) |
the organization reviews/updates access control procedures in accordance with |
||
|
|
organization-defined frequency. |
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
||
|
Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records]. |
|||
|
Interview: [SELECT FROM: Organizational personnel with access control responsibilities]. |
|||
|
|
|
|
|
APPENDIX F-AC |
PAGE F-4 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: ACCESS CONTROL |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
AC-2 |
ACCOUNT MANAGEMENT |
|
|
|
|
|
|
AC-2.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) the organization manages information system accounts, including; |
||
|
- identifying account types (i.e., individual, group, system, application, |
||
|
guest/anonymous, and temporary); |
|
|
|
- establishing conditions for group membership; |
|
|
|
- identifying authorized users of the information system and specifying access |
||
|
privileges; |
|
|
|
- requiring appropriate approvals for requests to establish accounts; |
||
|
- establishing, activating, modifying, disabling, and removing accounts; |
||
|
- specifically authorizing and monitoring the use of guest/anonymous and |
||
|
temporary accounts; |
|
|
|
- notifying account managers when temporary accounts are no longer required |
||
|
and when information system users are terminated, transferred, or information |
||
|
system usage or need-to-know/need-to-share changes; |
|
|
|
- deactivating: i) temporary accounts that are no longer required; and ii) accounts |
||
|
of terminated or transferred users; and |
|
|
|
- granting access to the system based on: |
|
|
|
- a valid access authorization; |
|
|
|
- |
intended system usage; and |
|
|
- other attributes as required by the organization or associated |
||
|
|
missions/business functions; and |
|
|
(ii) the organization defines the frequency of information system account reviews; and |
||
|
(iii) the organization reviews information system accounts in accordance with |
||
|
organization-defined frequency. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing account management; security plan; list of active system accounts along with the name of the individual associated with each account; list of guest/anonymous and temporary accounts along with the name of the individual associated with each account and the date the account expires; lists of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; system-generated records with user IDs and last login date; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities].
APPENDIX F-AC |
PAGE F-5 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
AC-2(1) ACCOUNT MANAGEMENT
AC-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to support information system account management functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].
AC-2(2) ACCOUNT MANAGEMENT
AC-2(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts; and
(ii)the information system automatically terminates temporary and emergency accounts after organization-defined time period for each type of account.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of active accounts; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].
AC-2(3) ACCOUNT MANAGEMENT
AC-2(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines in a time period after which the information system disables inactive accounts; and
(ii)the information system automatically disables inactive accounts after organizationdefined time period.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of last login dates; information systemgenerated list of active accounts; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].
APPENDIX F-AC |
PAGE F-6 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
AC-2(4) ACCOUNT MANAGEMENT
AC-2(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the information system automatically audits:
-account creation;
-modification;
-disabling; and
-termination actions; and
(ii)the information system notifies, as required, appropriate individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].
AC-2(5) ACCOUNT MANAGEMENT
AC-2(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines the time period of expected inactivity and/or description of when users log out;
(ii)the organization requires that users log out in accordance with the organizationdefined time-period of inactivity and/or description of when to log out;
(iii)the organization determines normal time-of-day and duration usage for information system accounts;
(iv)the organization monitors for atypical usage of information system accounts; and
(v)the organization reports atypical usage to designated organizational officials.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; security violation reports; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities].
AC-2(6) ACCOUNT MANAGEMENT
AC-2(6).1 ASSESSMENT OBJECTIVE:
Determine if the information system dynamically manages user privileges and associated access authorizations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities]. Test: [SELECT FROM: Automated mechanisms implementing account management functions].
APPENDIX F-AC |
PAGE F-7 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
AC-2(7) ACCOUNT MANAGEMENT
AC-2(7).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and
(ii)the organization tracks and monitors privileged role assignments.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system-generated list of privileged user accounts and associated role; information system audit records; audit tracking and monitoring reports; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities].
APPENDIX F-AC |
PAGE F-8 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: ACCESS CONTROL |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
AC-3 |
|
ACCESS ENFORCEMENT |
|
|
|
|
|
AC-3.1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if the information system enforces approved authorizations for logical access |
|
|
|
to the system in accordance with applicable policy. |
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
|
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; |
|
|
|
information system configuration settings and associated documentation; list of approved |
|
|
|
authorizations (user privileges); information system audit records; other relevant documents |
|
|
|
or records]. |
|
|
|
Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy]. |
|
|
|
|
|
|
|
|
|
AC-3(1) |
|
ACCESS ENFORCEMENT |
|
|
|
[Withdrawn: Incorporated into AC-6]. |
|
|
|
|
|
AC-3(1).1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
[Withdrawn: Incorporated into AC-6]. |
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
|
[Withdrawn: Incorporated into AC-6]. |
|
|
|
|
|
AC-3(2) ACCESS ENFORCEMENT
AC-3(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines, in organizational policies and procedures, the privileged commands for which dual authorization is to be enforced; and
(ii)the information system enforces dual authorization based on organizational policies and procedures for organization-defined privileged commands.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement and dual authorization; security plan; information system design documentation; information system configuration settings and associated documentation; list of privileged commands requiring dual authorization; list of approved authorizations (user privileges); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities]. Test: [SELECT FROM: Dual authorization mechanisms implementing access control policy].
APPENDIX F-AC |
PAGE F-9 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
AC-3(3) ACCESS ENFORCEMENT
AC-3(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines the users and resources over which the information system is to enforce nondiscretionary access control policies;
(ii)the organization defines nondiscretionary access control policies to be enforced over the organization-defined set of users and resources, where the rule set for each policy specifies:
-access control information (i.e., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day); and
-required relationships among the access control information to permit access; and
(iii)the information system enforces organization-defined nondiscretionary access control policies over the organization-defined set of users and resources.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; nondiscretionary access control policies; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; list of users and resources requiring enforcement of nondiscretionary access control policies; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities]. Test: [SELECT FROM: Automated mechanisms implementing nondiscretionary access control policy].
AC-3(4) ACCESS ENFORCEMENT
AC-3(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system enforces a Discretionary Access Control (DAC) policy that:
-allows users to specify and control sharing by named individuals or groups of individuals, or by both;
-limits propagation of access rights; and
-includes or excludes access to the granularity of a single user.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; discretionary access control policy; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing discretionary access control policy].
APPENDIX F-AC |
PAGE F-10 |