NIST 800-171 | SECURITY ASSESSMENT
Security assessment requirements should be very simple however they can be challenging to implement to due lack of consistency of interpreting this requirement.
Technically speaking going through each requirement and control of NIST 800-171 is a form of "security assessment" however the requirement also refers to monitoring information systems. The word "monitor" in section 3.12.3 is often interpreted as implementing a SIEM solution or similar by some professionals. The key takeaway here is establishing a frequency behind this activity and the type of security assessment can be changed along as it is a repeatable activity.
Most organizations today are simply conducting control and requirement reviews on an annual basis and update documentation as a basic security assessment check. As you review the requirements, you will find that some requirements are not being met and that will produce a "plan of action" also known as a deficiency register. For effectiveness purposes, we also recommend adding a technical activity such as vulnerability scanning, SIEM monitoring or similar to meet the intent of the security assessment requirements.
Family Name: Security Assessment
3.12.1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.
Identify weaknesses and deficiencies early in the development process
Provide essential information needed to make risk-based decisions
Ensure compliance to vulnerability mitigation procedures.
Security assessment reports document assessment results to determine the accuracy and inclusiveness of the reports to ensure:
Security controls are implemented correctly
Security Control are operating as intended
Security Controls are establishing the required result
Security assessment outcomes are:
Up to date and continually maintained
Relevant to the determination of security control effectiveness
Obtained with the appropriate level of assessor independence
Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the life cycle.
NIST Special Publication 800-53A provides guidance on developing security assessment plans and for conducting assessments.
NIST Special Publication 800-53 provides guidance on security and privacy controls for systems and organizations.
3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
The Plan of Action is a vital document in the Information Security Program.
Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented.
Organizations can document the System Security Plan and Plan of Action as separate or combined documents and in any chosen format.
3.12.3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions.
The terms continuous and ongoing simply that organizations assess and analyze security controls and information security-related risks at a rate of recurrence enough to support risk-based determinations.
The results of continuous monitoring programs generate appropriate risk response actions by organizations.
Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make more effective and timely risk management decisions.
Automation supports more frequent updates to hardware, software, firmware inventories, and other system information.
NIST Special Publication 800-137 provides guidance on continuous monitoring
3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security plans relate security requirements to a set of security controls.
Security plans also overview how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls.
Effective security plans make extensive use of references to policies, procedures, and additional documents
In return, this reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational zones.
Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision
NIST Special Publication 800-18 provides guidance on developing security plans.