NIST SP 800-53A

Question 1

“The selection of appropriate assessment procedures and the rigor, intensity, and scope of the assessment depend on three factors:…”

Answer 1

1. The security categorization of the information system
2. The assurance requirements that the organization intends to meet in determining the overall effectiveness of the security controls; and
3. The selection of security controls from SP 800-53 as identified in the approved security plan

Question 2

Security categorization (national security systems)

Answer 2

Is accomplished with CNSS Instruction 1253

Question 3

Security categorization (other than national security systems)

Answer 3

Is accomplished in accordance with FIPS 199 and SP 800-60

Question 4

Information produced during security control assessments can be used by an organization to:

Answer 4

1. Identify potential problems or shortfalls in the organization’s implementation of the Risk Management Framework;
2. Identify information system weaknesses and deficiencies;
3. Prioritize risk mitigation decisions and associated risk mitigation activities;
4. Confirm that identified weaknesses and deficiencies in the information systems have been addressed;
5. Support continuous monitoring activities and information security situational awareness;
6. Facilitate security authorization decisions; and
7. Inform budgetary decisions and the capital investment process