NIST updates security control assessment procedures
On December 12, the National Institute of Standards and Technology (NIST) Computer Security Division announced the final release of Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations. This new update brings security control assessment procedures into alignment with the current version of the government’s security control framework, the latest revision of which was published in April 2013.
The final version of this guidance should lead to a revision in security control assessment practices in all agencies and also remove a practical obstacle to the adoption of 800-53 Rev. 4, as many agencies delay their migration from one version to the next until corresponding assessment guidance is available. The more than 18-month gap between the release of 800-53 Rev. 4 and 800-53A Rev. 4 can be attributed in part to the substantial changes seen in the control framework compared to the previous version, notably including the addition of separate set of 26 privacy controls and an expansion in program management controls, all of which are mandatory for federal information systems and security management programs.
The fundamental structure of security control assessment procedures in 800-53A remains the same as in previous versions (NIST skipped from Rev. 1 straight to Rev. 4 in the latest release, to synchronize the revision numbers with 800-53). For each control, 800-53A provides a set of assessment objectives, with each objective broken down into one or more determination statements that tell an assessor what to look for when deciding whether a system or agency satisfies an objective. Assessment procedures specify different methods assessors should use (examine, interview, and test) against the objects of the assessment (specifications, mechanisms, activities, and individuals). The guidance in 800-53A also defines various levels of detail (and effort) with which each method can be applied to help assessors appropriately tailor assessments to the assurance requirements specific to each system.
What is noticeably different in 800-53A Rev. 4 is the level of granularity in the determination statements found in the catalog of assessment procedures in Appendix F of the document. While the prior version included assessment objectives and determination statements for every security control and enhancement, those statements often were long phrases that included many details in each statement. In contrast, the new version has many many more determination statements, but each statement is short and explicit, addressing a single concept, action, or detail related to an assessment objective. For example, for the “Account Management” control (AC-2), the previous version of 800-53A had three numbered determination statements, the first of which incorporated nine attributes. The new assessment procedure for AC-2 has eleven primary determination statements, all but four of which are broken down further into subordinate statements (and in the case of one statement into a third level of detail). This results in a total of 30 numbered items each subject to a satisfied/other-than-satisfied finding.
Guidance for producing assessment reports carries forward the increased level of detail, as an assessor’s determination of “satisfied” or “other than satisfied” is applied to every determination statement in the assessment procedures. This change could make security assessment reports more closely resemble audit reports and compliance checklists commonly found in traditional financial and IT auditing contexts, but it also greatly increases the set of items for which individual findings would be recorded. Federal security control assessment procedures and the broader Risk Management Framework of which assessments are a part requires agencies to apply risk-based decision making and, where appropriate, corrective action to all “other than satisfied” findings. Organizations following the assessment reporting guidance in 800-53A Rev. 4 may initially find that they have a much higher number of findings to address, but the finer granularity of the determination statements and assessment procedures should greatly reduce the scope and, potentially, level of effort required to address each finding.
One other notable addition to 800-53A Rev. 4 is the introduction (in official guidance) of the concept of security and privacy capabilities, which are essentially functional descriptions that correspond to multiple underlying security controls. It seems the intent of recommending the use of capabilities to agencies is to increase the alignment between implemented security controls and the security or privacy requirements they are designed to meet or support. Based on the description in 800-53A Rev. 4, the concept of capabilities also reflects an acknowledgement that weaknesses in or absence of any single security control may not significantly impact the ability of an agency to delivery the capabilities it needs.