RMF Step 4: Assess Flashcards
Guidance
NIST 800-53A guide to assessing controls
NIST 800-115 technical guide to assessment
3 methods used by assessors
Examine - reviewing objects
Interview - discussion w/ people
Testing - exercising objects
POA&Ms
this step is where POA&Ms come into effect
Inputs and Outputs of Step 4: Assess
INPUT
- Implemented system
- documentation and action as required in controls
OUTPUT
- SAP
- Authorization package (SSP, SAR, POA&M)
2 assessment methods
DEPTH
*level of detail
COVERAGE
*Scope of examination, interview, and testing processes
Values of Depth attribute (3)
Basic examination - high level review
Focused examination - more in depth
comprehensive examination - detailed and thorough
RMF Task 4-1
Develop plan to assess controls
RMF Task 4-2
Assess controls according to procedures in SAP
RMF Task 4-3
Prepare SAR documenting issues, findings, and recommendations from assessment
RMF Task 4-4
Conduct initial remediation actions on controls based on findings of the SAR