Embedded Files
NIST 800-53 (r4) Control:
The organization includes as part of security control assessments, [Assignment: (M) (H) at least annually], [Selection: (M) (H) announced], [Selection (one or more): (M) (H) vulnerability scanning; [Assignment: organization-defined other forms of security assessment]].
NIST 800-53 (r4) Supplemental Guidance:
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2.
NIST 800-53 (r5) Discussion:
Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing).
38North Guidance:
Meets Minimum Requirement:
Develop and document a Security Assessment Plan (SAP) that includes the purpose, scope (controls in scope of the assessment), testing methods and techniques, assessment schedule and POCs, etc.
Document the results of the security assessment within a Security Assessment Report (SAR) that includes the results of each control tested along with the compliance status of the overall information security system.
Best Practice:
Define the frequency for conducting the selected form(s) of specialized security assessment.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Evidence of the Security Assessment Plan (SAP) for the specialized assessment.
Evidence of the results of the specialized assessment in the form of a Security Assessment Report (SAR) developed by the Independent Assessor or 3PAO.
Annual specialized assessments, including announced vulnerability scanning performed by an independent third party for the current year and previous year.
Communication showing where the FedRAMP PMO were provided the SAP and SAR.
Previous penetration testing reports, if performed by other assessors.
CSP Implementation Tips:
None.
This page is classified as INTERNAL.
Page updated
Report abuse