RMF CHAPTER 8: STEP 4 ASSESS WITH COMPLETE SOLUTIONS

RMF CHAPTER 8: STEP 4 ASSESS WITH
COMPLETE SOLUTIONS
FIPS 200/NIST SP 800-53 (Specification of Security Controls)

NIST SP 800-53A (Assessment of Security Control Effectiveness) - ANSWER-When
Assessing Security Controls, agencies are required to follow what publication for the
specification of security controls; and what publication for the assessment of security
control effectiveness?

Satisfactory or Other - ANSWER-An assessment can be either ____________ or
____________; nothing else.

Compliant or Non-compliant - ANSWER-An assessment can be deemed Satisfactory or
Other. The DoD uses a different set of terms, what are they?

- Scope
- Method
- Depth
- Breath - ANSWER-What are the critical factors in assessments?

- Prepare for security control assessment.
- Establish security control assessment plan.
- Determine security control effectiveness.
- Develop initial security assessment report.
- Perform initial remediation actions.
- Develop final security assessment report and addendum. - ANSWER-What are the 6
key areas for Assessment?

Security Assessment Plan - ANSWER-What defines methods and procedures for
testing, evaluating, and assessing various security controls in a system; includes Rules
of Engagement (ROE) document?

Rules of Engagement (ROE) document - ANSWER-What is a document that provides
oversight and approval for assessment and internal & external testing, including
penetration testing?

NIST SP 800-115 - ANSWER-Organizations should develop a Security Assessment
Plan as provided for in what publication?

1. Develop a Security Assessment Policy
2. Prioritize and Schedule Assessment
3. Select and Customize Techniques

, 4. Determine Logistics of Assessment
5. Develop the Assessment Plan
6. Address Legal Considerations - ANSWER-As provided by NIST Special Publication
800-115, NIST lays out recommendations for developing an Assessment plan. What are
the recommendations?

- Organizational requirements with which assessments must comply.
- Appropriate roles and responsibilities (at a minimum, for those individuals approving
and executing assessments).
- Adherence to established methodology.
- Assessment frequency.
- Documentation requirements, such as assessment plans and assessment results. -
ANSWER-What should the Security Assessment Policy in the Security Assessment
Plan address when developing it?

- What systems should undergo assessments.
- How often assessments should be done. - ANSWER-What should the Prioritize and
Schedule Assessment in the Security Assessment Plan address?

- System categorization
- Expected benefits
- Scheduling requirements
- When required by law or regulation
- Resource availability - ANSWER-When Prioritizing and Scheduling assessments,
prioritization should be based on what?

- An organization should first determine its assessment objectives (such as verifying
compliance, verifying system's security as part of C&A activities, identifying exploitable
vulnerabilities, or evaluating Intrusion Detection Systems).

- The organization should select the classes of techniques (e.g., review, target
identification and analysis, target vulnerability validation) to be used to obtain
information that supports those objectives, and specific techniques within each selected
class.

- Resources and skill available.
- Consider risk involved in selecting techniques. - ANSWER-What should the Select and
Customize Techniques in the Security Assessment Plan address?

- Identifying all required resources, including the assessment team.
- Selecting environments and locations from which to perform the assessment.
- Acquiring and configuring all necessary technical tools. - ANSWER-What should the
Determine Logistics of Assessment in the Security Assessment Plan address?

- Documents the activities planned for an assessment and other related information.
- To provide the rules and boundaries to which assessors must adhere.