January 25, 2023

    NIST Security Controls Assessment Guide

    Does your organization have security controls in place, but you’re unsure if they’re effective or align with NIST (National Institute of Standards and Technology) guidelines? NIST Special Publication 800-53 was created by NIST as a benchmark for successful security control assessments.

    This publication walks you through the entire NIST controls assessment process, and when applied to your organization, it will help you mitigate the risk of a security compromise. Use this comprehensive guide to help you conduct a NIST controls assessment in your own organization.

    The Fundamentals

    Outlined below are the fundamental aspects of the NIST controls assessment process.

    Assessments within the System Development Life Cycle

    It’s not enough for your security controls to be assessed once and assumed to be effective for the entirety of their life cycle. Your NIST controls should be assessed continuously throughout the life cycles of your IT systems, ensuring that even inherited security measures are working properly and up to your standards.

    Any issues identified early in a system's life cycle – during the implementation process, for instance – can typically be addressed quickly and easily, more easily in fact, than mature systems later in their life cycles.

    Ongoing assessments at different phases in a system’s life cycle are required to ensure that your security measures are working as effectively as they were when they were deployed and you’re not compromising sensitive data. At the end of a system’s life cycle, you need to conduct a final assessment verifying that all your information has been properly removed from the system.

    Strategy for Conducting Security Control Assessments

    Developing a strategy for how to conduct your security control assessments makes it easier to ensure these assessments are uniform, cost-effective, and comprehensive. When using the Risk Management Framework as your foundation for your security control assessment strategy, you should involve your entire organization in the assessment process.

    According to NIST 800-53, maximizing the number of controls your organization uses will:

    • Reduce the costs associated with development, implementation, and assessment of your NIST controls

    • Enable you to centralize your assessments and reduce the cost of assessment across your organization-wide systems

    • Increase consistency in your security controls

    A cohesive security control assessment strategy ensures that key members of your organizational leadership are regularly informed about the health of your IT systems. This provides organizational leadership with the crucial knowledge to make informed decisions on how to mitigate the risk of security breaches. It also allows your leaders to develop solutions to organization-wide problems.

    NIST 800-53 outlines two actions that should be included in your strategy, which lead to cost-effective, focused assessment processes:

    • Draft assessment procedures that are tailored for your specific operations and requirements

    • Provide tools, templates, and techniques across your organization to increase consistency in the process

    Building an Effective Assurance Case

    Before we dive into building an effective assurance case, you need to know what an assurance case is in this context. NIST 800-53 defines it as a:

    “… body of evidence organized into an argument demonstrating that some claim about an information system holds (i.e., is assured). An assurance case is needed when it is important to show that a system exhibits some complex property such as safety, security, or reliability.”

    Building that assurance case starts with compiling data and evidence throughout a system’s life cycle that demonstrates the system was deployed correctly, is operating as intended, and will produce the desired outcomes for your organization. This evidence comes from your security control assessment, gathered through tests and activities throughout the life cycle of the system.

    Once that evidence has been gathered through a series of activities, you need to present this data to decision-makers in your organization, ensuring they are well-informed about the use of this system and its impacts on business operations.

    Assessments can be conducted either internally or by an outside vendor. These system assessments will reveal any risks associated with your systems.

    Assessment Procedures

    The assessment procedures in NIST 800-53 are the basis for building an effective assurance case. An assessment procedure consists of a set of assessment objectives. The objective is communicated through determination statements – statements that will be proven true or false through the assessment.

    The assessment will evaluate the effectiveness of the security measures associated with:

    • Specifications - Any documentation, including policies, procedures, plans, system security requirements, functional specifications, and architectural designs

    • Mechanisms - The specific hardware, software, or firmware safeguards and countermeasures your organization has employed with your systems

    • Activities - Any protection-related actions including your employees, like system backup processes or monitoring network traffic

    • Individuals - Anyone in your organization applying the specifications, mechanisms, or activities listed above

    To properly assess these different areas of your IT systems, you will employee three methods – examine, interview, and test. The assessor will examine or analyze your current security controls, interview the employees who engage with these NIST controls, and test the controls to verify that they are working properly.

    The Process

    The process for conducting a security assessment is a relatively straightforward four-step process: prepare for the assessment, develop an assessment plan, conduct the assessment, and analyze the findings. Learn more about what each step requires in more detail below.

    Preparing for Security Control Assessments

    For your security assessments to be executed effectively, you must start with a well-established and communicated preparation process. This process should involve your entire team. While it’s true that these assessments can be disruptive to your business operations, preparation before the assessment can drastically cut down on the amount of time and resources the actual assessment will take.

    The preparation process consists of efforts on the parts of both your organizational leaders and your security team members. Let’s look at specific steps both of these parties will take:

    Organizational Preparation

    • Implement all appropriate policies and ensure stakeholders understand these policies.

    • Follow the Risk Management Framework carefully before the assessment begins.

    • Verify that security controls identified as common controls have been assigned for development and implementation.

    • Outline the scope of the assessment.

    • Notify key stakeholder of the upcoming assessment and ensure you have enough resources.

    • Establish communication channels to be used by stakeholders.

    • Set expectations for the assessment timeframe, including key milestones.

    • Identify who is responsible for the assessment, whether they are internal resources or an outside vendor.

    • Gather all materials essential for the assessment, like records, policies, manuals, IT vendor agreements, etc.

    • Establish a reporting process by which findings can be shared with the organization.

    Security Control Assessment Team Preparation

    • Researching the organization’s operations to ensure they understand the roles your IT systems play.

    • Learn more about the structure of the systems.

    • Identify the security controls being assessed.

    • Determine which teams are responsible for developing and implementing common controls.

    • Identify the points of contact within the organization for the assessment team.

    • Obtain any materials needed for the assessment.

    • Request and obtain previous assessment results, if any exist.

    • Discuss scope of the assessment with organizational leaders.

    • Develop a security assessment plan.

    These steps are taken to lay the groundwork for an assessment that is efficient and reveals all the pertinent information needed to improve NIST security controls.

    Developing Security Assessment Plans

    The security assessment plan acts as a roadmap for how the assessment will occur. The plan will also outline the objectives that the assessment should fulfill.

    The following steps are the general framework for a security assessment plan.

    • Determine which security controls are to be assessed.

    • Select appropriate procedures to assess the security controls.

    • Tailor assessment procedures.

    • Develop assessment procedures for organization-specific security controls.

    • Optimize selected assessment procedures to ensure maximum efficiency.

    • Finalize a security assessment plan and obtain approval to execute plan.

    Conducting Security Control Assessments

    Once your security assessment plan has been approved by all the necessary stakeholders, you’re ready to conduct your security assessment. The end result of your assessment will be a Security Control Report, which documents the assurance case for your information systems. The report will focus on the viability of your current NIST controls, determining if inherited controls are still effective.

    Conducting the security assessment will require the assessment teams to determine is assessment objectives have been achieved to a Satisfied (S) or Other than Satisfied (O) level. A Satisfied result will indicate that an objective has been met, while an Other than Satisfied result will indicate potential abnormalities that exist in the implementation or operation of a control. Based on these results, you can determine where you need to bolster your security measures.

    Those who conduct your security control assessment should be unbiased parties, who issue a report based on facts and thorough research.


    Analyzing Security Assessment Report Results

    After the assessment report has been drafted, your decision-makers and IT security stakeholders will review the report and make determinations regarding areas where your current security controls should be updated. The Satisfied or Other than Satisfied categorization process increases transparency into the results of the assessment, making it easy for everyone to understand.

    Involving your organization’s leadership team during the analysis process allows them to have input into the allocation of resources to address any changes that should be made. Using the findings outlined in the report, you know exactly where to improve your security controls, and which controls are fully functional.

    Remember that the security control assessment process should be conducted on a regular basis. This is the only way to gauge the ongoing operational health of your organizational systems. Following NIST 800-53 guidelines, you can take an organized, strategic approach to the security assessment process.

    Learn more about the NIST controls you should implement in your organization. Download the DFARS compliance checklist now.


    Tag(s): Government

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts