Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.
NIST 800-53 (r4) Supplemental Guidance:
Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services.
NIST 800-53 (r5) Discussion:
Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services.
38North Guidance:
Meets Minimum Requirement:
Select an independent assessment team that will monitor the security controls that are part of the organizations continuous monitoring plan.
Best Practice:
None.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Completed Continuous Monitoring Template (if applicable).
Copy of Continuous Monitoring Plan.
Copy of Continuous Monitoring Reports from the previous year.
Copies of the last three months, Operating System Scans, Database scans and Web Application Scans.
CSP Implementation Tips:
None.
Page updated
Report abuse