Which of the following is the function of the NIST Cybersecurity Framework that involves taking action on a detected cybersecurity breach?

Implementing and assessing security via the Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) was published to create a common vernacular and approach to cybersecurity evaluations for all sectors of the nation's critical infrastructure. It has since gained widespread adoption in the private sector as well. It takes pains not to be overly prescriptive, to give organizations that wish to use the CSF the maximum amount of leeway in developing their implementation.

The CSF is designed with common and accessible language which is understandable by many professionals. It is adaptable to many technologies, life-cycle phases, sectors, and uses and is meant to be customized to each usage and industry sector. The CSF is risk-based focus with a catalog of cybersecurity outcomes but does not provide how little or how much cybersecurity is appropriate, since risk for each organization is unique to its own industry. The general process flow closely mirrors the process described in this document. It includes the following steps:

Prioritize and scope

Orient

Create a current profile

Conduct a risk assessment

Create a target profile

Determine, analyze, and prioritize gaps

Implement action plan

The Framework defines four tiers of maturity, from which it acknowledges that organizations should not necessarily strive for Tier 4 (highest maturity) in all aspects of their cybersecurity because that is likely more than the organization needs on some topics. Rather, each organization should evaluate its own situation and craft the security best suited to accomplish its organizational needs.

Five major functions of cybersecurity are identified in the Framework, which are further broken down into 23 Categories, and still further into 108 Subcategories. Each Subcategory may or may not apply in a given situation, and even those that apply may be adequately addressed by a low maturity level. The Functions, Categories, and Subcategories are visible in figures shown below along with references to other standards as they apply to each Subcategory.

Current Profile

If the chosen Framework for the assessment is the NIST Cybersecurity Framework, the exercise below will result in a Current Profile of the organization. If a different Framework is chosen, the assessor should still proceed with this section as written, as it will provide him or her with a snapshot for characterizing the strengths and weaknesses of the organization's security program, which will be useful when forming conclusions to present to the customer, and particularly when helping the customer understand their risk tolerance.

Reviewing the findings documented by the actions above, the assessor should assign a rating to each NIST Cybersecurity Framework Subcategory, according to the following criteria.

	Subcategory Rating
Capability claim	Strong	1.5	3	4
Partial	1	2	2.5
Weak	0	1.5	1.5
		Unsubstantiated	Policies and Processes	Validated
		Confidence

Use the following definitions for interpreting the matrix above:

Capability Claim

•

Strong—The Subcategory is both highly effective and has been implemented throughout most, if not all, of the organization

•

Partial—The Subcategory is either highly effective but implemented across only a minority of the organization or is in place throughout the organization but is marginal in its efficacy

•

Weak—The Subcategory has either not been implemented at all, or is partially implemented and marginally effective

Confidence

•

Validated through testing—An independent party has evaluated the capability and found it to align with the rating. For example, a claim of Strong has been made regarding data leakage protection, and Internal Audit (or another independent source) has formally evaluated the capability and found no deficiencies that would disqualify it from a Strong rating. Testing must ensure the capability functions consistent with the organization's procedures.

•

Substantiated by Policies and/or Processes—The organization has formally defined expectations regarding the capability (usually thru policies and/or processes) that help to reduce the likelihood of the capability being ineffective or not meeting expectations.

•

Unsubstantiated—There are no formal policies or processes that formally establish expectations for this capability, which increases the likelihood of it being ineffective.

Once the rating for each Subcategory has been determined, all Subcategory ratings within a given Category should be averaged to determine the maturity tier, consistent with the CSF definitions. A Subcategory average that is not a whole number should be truncated rather than rounded. For example, if the six Subcategories within Identify—Asset Management (ID.AM) average a 2.7 rating, the current maturity tier for the ID.AM Category is determined to be Tier 2, Risk Informed.

The assessor should utilize the Current and Target Profiles spreadsheet on SharePoint, which autopopulates and calculates values according to these criteria. It will produce the following graphs:

The result of the exercise above is a depiction of the security currently being achieved by the organization and serves as a starting point for discussions of risk tolerance and establishing and implementing any mitigation activities (if the NIST Cybersecurity Framework is employed, mitigation planning will proceed by creating a Target Profile). For the organization to understand its risk tolerance, these results should be coupled with the risk exposure values derived in the following section.

Target Profile

Just as the present depiction of the organization's security program maturity makes up the Current Profile, the future-state maturity levels toward which the organization will build are called the Target Profile.

Once the assessor has determined the recommended action plans for each threat event, he or she should look again at the Current and Target Profiles spreadsheet and determine which maturity ratings would change if the organization fully implemented the recommendations (using the definitions in Section 5.4). Each future-state determination regarding Capability Claim and Confidence should be recorded in the spreadsheet and will produce the following graphs:

NIST Cyber Security Framework

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was created specifically to strengthen protection for companies classified as critical infrastructure, however the CSF’s sphere of influence has quickly expanded. Organizations beyond those classified as critical infrastructure have also been looking to the CSF for guidance. Although compliance with the CSF standards is voluntary, it has emerged as the standard against which organizations are judged after a data breach occurs.

The CSF is organized into five core functions: Identify, Protect, Detect, Respond, and Recover. These core functions are then further branched into several tiers “which describe the level of sophistication and rigor an organization employs in applying its cyber security practices.”9 Much has been written about the CSF, its core functions and organizational impacts, so we won’t dive too deeply into the framework. Please familiarize yourself with these standards as they apply to your organization. When you begin the process of implementing threat forecasting practices in your organization (explained in Chapter 9), the NIST CSF may be a useful starting point when implementing phase one and evaluating your organization’s current cyber security practices, policies and procedures.

Finding a Job

11 Security and Privacy for Intelligent Transportation Infrastructure

Generically, the (draft) NIST Cybersecurity Framework for Critical Infrastructure [84] provides a framework to guide organizations in securing their critical infrastructure. The NIST framework adopts a risk management approach consisting of five core functions: identify, protect, detect, respond, and recover. Identify encompasses threat characterization, while protect, detect, and respond address the usual cybersecurity defensive mechanisms and incidence response deployed in (IT) security. Recover is of particular importance in critical infrastructure, because appropriate recovery ensures the resilience of the infrastructure. The NIST framework has been adopted and specialized by multiple ITS domain-specific cybersecurity policies [85].

Much of the prior work in ITS security focuses on V2V and VANET [86], or on threats to the infrastructure that come from other sources besides V2I [87–90]. Much more work needs to be done in examining the threat landscape that V2I introduces against the transportation infrastructure, and then ensuring that cybersecurity approaches for ITS are resilient to attacks coming from any new attack vectors.

The impact on privacy caused by integration of V2I and ITS also has received quite a bit of attention. Cottrill [91] examines the problem and solution space for privacy concerns with respect to the emerging V2I-ITS integration. Glancy [60] discusses, among other topics, the legal and policy issues caused by V2I/I2V, including privacy concerns and security challenges. Privacy is also a repeated theme of concern in the proposed rules for V2V communications, especially as they rely on PKI and network infrastructure [43]. Lederman et al. [92] survey privacy protections in ITS and propose solutions for privacy protection in ITS data collection and storage.

The business side of security

Building an intelligence-led security strategy, whether using a continuous monitoring framework, Cybersecurity Framework, or another security, requires being able to translate security activities into a language that the business side of the organization can understand.

Security teams, and even chief information security officers (CISOs), tend to speak in technical terms. Security leaders say things like, “We blocked 3000 attacking IP addresses last month” or “We stopped 20% more spam.” These are important, but they don’t make a business case for why security is so important to the organization. Of course, the security industry doesn’t help as these are the same types of metrics that security vendors use to sell their products. Security vendors will tell their customers things like, “We release 100,000 new signatures a month” or “Our product is capable of monitoring at 1000 Gbps.”

None of these conversations translate into something that explains to the business side of the organization what value the security spend adds to the bottom line. But it doesn’t have to be that way. The evidence for the return on investment that good security practices deliver to organizations appears every day on news sites and the nightly news. The costs associated with a major breach are well documented and demonstrated every time a large company or government organization discloses a missed attack.

According to the Ponemon Institute report, “2014 Cost of Data Breach Study” the average cost of a data breach to an organization is $3.5 million (Ponemon Institute, 2014).

Building an intelligence-led security program allows the security team to change the conversation from one involving bits and bytes to one involving cost savings and value demonstration. It also allows the security team to focus on the larger picture when presenting to senior management or the board.

How does that work? It starts by switching away from discussions about irrelevant numbers. Every organization of any size it targeted by hundreds or thousands of security attacks each day. Trying to turn hundreds or thousands of security incidents each day into increased budget numbers won’t work, as evidenced by the fact that security budgets continue to shrink despite the fact that the number of attacks against any organization are on the rise. Instead of discussing the number of attacks, the focus should be on those attacks that most relevant to the organization, and could have caused the most damage to the organization’s reputation.

The only way to understand which attacks could have caused the most damage to the organization is through the use of cyber threat intelligence. At its most effective, cyber threat intelligences allows an organization to connect artifacts to tools and to adversaries. By tying indicators of compromise to the adversaries behind those indicators, security teams are able to not only focus efforts on those threats that pose the greatest risk to the organization, but explain those actions in terms of tangible savings to the organization.

For example, there are thousands of new vulnerabilities discovered each day. An organization that is able to automate the prioritization of patching vulnerable systems using the Common Vulnerability Scoring System (CVSS) presents a tangible value in terms of manpower saved. Taking it to the next level and prioritizing based not only on the CVSS score, but also on intelligence, such as whether or not the vulnerability is being exploited in the wild and what groups are behind the exploitation, changes the conversation again. Now the conversation is not one of just man-hours; now it is a conversation built around the damage the adversary using an exploit targeting a vulnerability that exists within the organization can cause, based on what that adversary has done in the past. An adversary who has a track record of gaining access to networks and exfiltrating valuable data poses a more significant risk, and an increased cost to the organization if successful, than just a known vulnerability with no context.

The business conversation does not just revolve around threats; it also revolves around justifying the addition of new staff or technology. Instead of discussing the need to increase budget to add a security widget, the conversation changes to adding capability in order to achieve success in meeting the next goal in the IGCND model. Remember that whatever framework is being used to move toward intelligence-led security requires the buy-in from senior management. By expressing new requests in terms of filling gaps in the next phase of the plan, security teams are simply helping to meet the agreed upon goals set by the organization.

From this perspective, adding a new incident response tool does not mean that the security team will be able to respond to security incidents 20% faster. Instead, it means that it fills a gap in phase four of the security plan, which requires proactive protections be in place to prevent security events before they become a problem.

One thing to keep in mind when trying to discuss security in business terms: senior management and the board read the same news stories as the security team. Most board members are aware, albeit sometimes vaguely, of the threats facing their organization. They see the competitors in the news because of the breach that wound up leaking a million credit cards, and they don’t want to be next. The leadership of the organization has an obligation to protect the organization and its assets from outside threats. The leadership wants to enable the security team to protect the organization and, as long as the requests are put in a language that leadership speaks, they will do so.

5.5 Market Incentives

In February 2014, the National Institute of Standards and Technology (NIST) released Version 1 of White House Executive Order 13636—Cybersecurity Framework, an initial structure for organizations, government, and customers to use in considering comprehensive cyber-security programs (WH, 2013). In April 2015 a NIST presentation provided a status report on the evolving framework (NIST, 2015). The framework broadly addresses the specific needs that are discussed in the previous section, but without the required specificity to illuminate the complexity associated with anticipatory physical system solutions. Past efforts to establish market incentives for improved information system cyber security illustrate the consequences of inaction, and also demonstrate the uncertainties and difficulties surrounding anticipatory actions. The example provided by information systems highlights the importance of initiating early data collection efforts so that incidents can be assessed for potential cyber attacks and confirmed attacks can be documented. With this evidence in hand, it will be easier to evaluate next-step responses and incentives for anticipatory forms of cyber security will be increased. As emphasized above, it will be difficult to motivate anticipatory solutions without confirmation that attacks on physical systems are actually occurring. The National Highway Safety Traffic System (NHTSA), through guidance that they are providing for improving automobile-related cybersecurity, has taken encouraging steps to anticipate some of the needs addressed above (USDOT, 2016). A potential sequence of events is that data collection starts early and provides incontrovertible evidence of attacks on physical systems, which then drives the development of the needed government, industry, and consumer relationships that underpin market incentives for investment in anticipatory cyber security. As suggested above, attacks on physical systems generally pose a much greater risk to human safety than attacks on information systems. Therefore it may be easier to motivate firms and policymakers to invest in physical system security, since potential consequences are so severe. The development of data curation processes that could promote the involvement of appropriate government, industry, and consumer groups appears to be a critical early step towards achieving market incentives.

Improving Cybersecurity

According to a 2009 report from IGI Global, as written by Marlyn Kemper Littman, entitled “Satellite Network Security,” satellite transmissions are subject to lengthy delays, low bandwidth, and high bit-error rates that adversely affect real-time, interactive applications such as videoconferences and lead to data corruption, performance degradation, and cyber incursions [10]. Littman goes on to say that multiple layers of security covering all aspects of the satellite’s ecosystem are needed to protect satellite networks adequately. This includes policies and legislation requiring minimum necessary security protocols and standards. The Defense Information Systems Network Satellite Transmission Services Global (DSTS-G) Performance Work Statement states that:

DODD 8581.1 E requires that commercial satellites used by the Department of Defense employ NSA-approved cryptography to encrypt and authenticate commands to the satellite if supporting Mission Assurance Category (MAC) I or II missions as defined in DoD Directive 8500.1. While NSA approved cryptography is preferred for satellites supporting MAC III missions, cryptography commensurate with commercial best practices is acceptable for encrypting and authenticating commands to satellites that only support MAC III missions.

The change in cryptography requirements is for commercial interoperability with Department of Defense (DoD) satellite systems. These changes went into effect in 2005 and represent a shift to encrypt using the latest technologies transmitted over higher bandwidth, using mission-specific data networks. The change also calls for continued modifications to the security environment as new threats appear and new solutions are available. The cryptography requirements directly align to the Satellite Internet Protocol Security (SatIPSec) initiative from 2004. This protocol provides for encrypted transmissions using a standard symmetric method that clearly identifies the sender and receiver. SatIPSec used in conjunction with the Satellite-Reliable Multicast Transport Protocol, which provides secure transmission methods for audio and video files, enhances the satellite ecosystem security posture.

There are several areas for improvement in satellite cybersecurity. As with many commercial ventures, the sharing of information is limited owing to the potential for leaking intellectual property or proprietary processes, procedures, and methods. The information and cybersecurity industry is rife with examples of limited information sharing. Most companies are remiss to share information on breaches because of the potential embarrassment public awareness could bring. What is missed is the opportunity to share remediation strategies and information about the attacker. This actionable intelligence could prevent other organizations from experiencing the same fate. Methods of remediation that are successful should be shared across the satellite industry and within federal and state governments. The opportunity to share effective security practices could vastly improve satellite cyber defenses. Information sharing coupled with the appropriate education and awareness-raising efforts for the satellite industry is an effective method of propagating actionable intelligence.

Until recently, organizations did not agree on what represented an attack. The underlying issue is the use of a common taxonomy relative to satellite security. Incorporating already defined words, phrases, and concepts from the information security community can and will speed up the adoption and integration of a common book of knowledge regarding satellite cybersecurity. Just as websites and applications on the Internet are subject to continuous probes, scans, denial of service, and distributed denial of service activity, the satellite industry faces continuous intentional interference and jamming. The satellite industry could learn how to adopt methods of interference and jamming prevention by incorporating proven principles and methods achieved over years of parallel activity on the Internet. In addition, organizations managing satellites need to distinguish between advertent and inadvertent events and events that are intentional and unintentional. The data points gathered by the scores of government and commercial satellite organizations worldwide could be organized into information that is analyzed for links, tendencies, and trends to help devices’ ever-changing defenses to transmission penetration and jamming. The underlying premise is information sharing for the benefit of nonhostile entities to improve their defensive, preventive, and even predictive countermeasures through intelligence analysis of satellite-specific data points using proven methods in cybersecurity. An organization such as the National Council of Information Sharing and Analysis Centers (ISAC) could sponsor or propose an ISAC specific to the satellite industry adopting proven methods across member ISACs to assist in information-sharing activities. The Communications ISAC could further expand into the satellite industry with specific goals, emphasizing sharing information used to mitigate and prevent typical satellite-related impacts on confidentiality, integrity, and availability.

Many members of the cybersecurity industry may overlook the physical security aspects of satellite security. As any centralized management function, satellite monitoring and maintenance are performed from a ground location. Data centers require hardened perimeters and multiple layers of redundancy. Satellite ground controls stations require the same level of attention to security detail. These facilities should have standardized closed-circuit television and access control methods. Security guards performing 24×7 monitoring and response and employee training and awareness programs must be in place. Many ground control stations are not equipped to withstand electromagnetic plus radiological fallout, or instances of force majeure. They lack what many in the IT industry would term standard requirements for availability. Furthermore, many ground control stations are within proximity of public areas, providing potentially easy access for those with malicious intent. Standards for the continuity of operations for ground control stations should include conditioned and generated power, as well as backup locations in varied geographic locations with an inventory of equipment available in case of an incident. Ground control centers should also practice disaster recovery and business continuity through regularly scheduled exercises. The points mentioned here are standard functions of an IT data center that can and should be applied to the satellite industry. All ground control stations should have centralized and backup network operations, security operations, and satellite operations centers integrated into a cohesive monitoring and data-sharing environment.

Several “anti” solutions should be tested and embedded in each satellite’s ecosystem based on risk. Sensitive or military satellites should be required to provide antijamming, antispoofing, and antitampering capabilities consistently and continually that can be monitored by the ground control station. Ground control stations need to be outfitted with prevention-based cybersecurity solutions that prevent or detect penetrations, prevent malware and data exfiltration, and monitor, record, and analyze malware characteristics.

Another concept for all US-based satellites is the use of all appropriate satellites to act as a sensor while in orbit. The idea is for each satellite to share information on surveilled targets after agreeing to install a government payload or sensor that provides a space-based surveillance and warning network. This concept borrows from cybersecurity technologies using sensors to monitor network activity across government or commercial entities. The government could offer some type of concession or support to the commercial organization in exchange for carrying the nonintrusive payload.

Although many of the recommendations are already a regular occurrence in military satellite systems, commercial systems do not necessarily require the same level of security or scrutiny. Regardless, interference and jamming of satellite-controlled devices under the military’s purview and the penetration of malware of ground control stations indicate a need for increased attention to security, whether cyber or of a more traditional need. A call for all satellite ecosystems to undergo assessment and authorization procedures as defined in the Federal Information Security Management Act and as detailed on the DoD Information Assurance Certification and Accreditation Process (DIACAP) may be warranted based on the role satellites have in critical infrastructures. The use of DIACAP and DSTS-G can arrive at cybersecurity framework standardization for satellites (see checklist: An Agenda for Action for Implementing Cybersecurity Framework Standardization Methods for Satellites). They can help drive mitigation measures using onboard satellite radio-frequency encryption systems.

An Agenda for Action for Implementing Cybersecurity Framework Standardization Methods for Satellites

Standardization can introduce methods such as carrier lockup, uniqueness, autonomy, diversity, and out-of-band commanding (check all tasks completed):

Carrier lockup is a method used to maintain steady and continuous communication between satellite and the ground control stations, ensuring no other transmissions can be inserted from unauthorized ground control stations [11].

Uniqueness provides each satellite with a unique address much like a personal computer’s media access control address [11].

Autonomy is a predefined protocol of self-operation, giving the satellite the capability to operate autonomously for certain periods in case there is some type of interference or jamming [11].

Diversity provides diverse and redundant routes for transmitting data, much like the use of multiple Internet connections from different providers in a data center [11].

Out-of-band commanding provides unique frequencies not shared by any other traffic or ground control stations [11].

When it comes to ground-based network operations centers and security operations centers, traditional cybersecurity standards and controls apply for both physical and virtual measures. Much the same applies to interference. Interference in the satellite ecosystem comes from several sources such as human error, other satellite interference, terrestrial interference, equipment failure, and intentional interference and jamming [11].

The satellite industry continues to take steps to mitigate and deliver countermeasures to various types of interference. Use of various types of shielding, filters, and regular training and awareness can help reduce most types of interference. Intentional or purposeful interference is not remediated through these measures. The satellite industry has created an IT mirror process and procedure called the Purposeful Interference Response Team (PIRT). Many of the same methods, processes, and procedures used in a computer emergency response team program have been adopted for use in the PIRT. Root cause analysis of PIRT incidents is shared back into the process and out to satellite owners to ensure that effective security practices and countermeasures are shared across the industry. Communications and transmission security measures are employed using standards such as those defined by the National Institutes of Standards and Technology and its Federal Information Process Standard 140–2.

As the satellite industry continues to move toward traditional IT-type hybrid networks, satellites will be subjected to the same types of IT vulnerabilities that ground-based systems experience today. Issues associated with this migration are apparent but so, too, are the solutions. Cybersecurity standards, processes, procedures, and methods are available without the need for creating them anew. Regardless, their application is required in the design phase of the satellite ecosystem to be fully effective. Onboard IT systems provide greater features and real-time modifications, but they also introduce traditional IT vulnerabilities and exploits if not managed properly.

NIST Cybersecurity Framework

Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. The Framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk.

The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. [2]

SP 800-53A

An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. An assessment objective includes a set of determination statements related to the particular security or privacy control under assessment. The determination statements are linked to the content of the security or privacy control (i.e., the security/privacy control functionality) to ensure traceability of assessment results back to the fundamental control requirements. The application of an assessment procedure to a security or privacy control produces assessment findings. These findings reflect, or are subsequently used, to help determine the overall effectiveness of the security or privacy control.

Assessment objects identify the specific items being assessed and include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, plans, system security and privacy requirements, functional specifications, architectural designs) associated with an information system. Mechanisms are the specific hardware, software, or firmware safeguards and countermeasures employed within an information system. Activities are the specific protection-related actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic, exercising a contingency plan). Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.

Assessment methods define the nature of the assessor actions and include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence. The interview method is the process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. In all three assessment methods, the results are used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.

Assessment methods have a set of associated attributes, depth and coverage, which help define the level of effort for the assessment. These attributes are hierarchical in nature, providing the means to define the rigor and scope of the assessment for the increased assurances that may be needed for some information systems. The depth attribute addresses the rigor of and level of detail in the examination, interview, and testing processes. Values for the depth attribute include basic, focused, and comprehensive. The coverage attribute addresses the scope or breadth of the examination, interview, and testing processes including the number and type of specifications, mechanisms, and activities to be examined or tested, and the number and types of individuals to be interviewed. Similar to the depth attribute, values for the coverage attribute include basic, focused, and comprehensive. The appropriate depth and coverage attribute values for a particular assessment method are based on the assurance requirements specified by the organization. As assurance requirements increase with regard to the development, implementation, and operation of security and privacy controls within or inherited by the information system, the rigor and scope of the assessment activities (as reflected in the selection of assessment methods and objects and the assignment of depth and coverage attribute values) tend to increase as well.3

“In addition to selecting appropriate assessment methods and objects, each assessment method (i.e., examine, interview, and test) is associated with depth and coverage attributes that are described in (SP 800-53A), Appendix D. The attribute values identify the rigor and scope of the assessment procedures executed by the assessor. The values selected by the organization are based on the characteristics of the information system being assessed (including assurance requirements) and the specific determinations to be made. The depth and coverage attribute values are associated with the assurance requirements specified by the organization (i.e., the rigor and scope of the assessment increases in direct relationship to the assurance requirements).4

RMF step 4—assess security controls

The purpose of the Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.

SP 800-37, rev. 2 Table 7.1 provides a summary of tasks and expected outcomes for the RMF Assess step. Applicable Cybersecurity Framework constructs are also provided (Fig. 7.1).

Table 7.1. Assess tasks and outcomes5.

Tasks	Outcomes
TASK A-1 ASSESSOR SELECTION	• An assessor or assessment team is selected to conduct the control assessments.
• The appropriate level of independence is achieved for the assessor or assessment team selected.
TASK A-2 ASSESSMENT PLAN	• Documentation needed to conduct the assessments is provided to the assessor or assessment team.
• Security and privacy assessment plans are developed and documented.
• Security and privacy assessment plans are reviewed and approved to establish the expectations for the control assessments and the level of effort required.
TASK A-3 CONTROL ASSESSMENTS	• Control assessments are conducted in accordance with the security and privacy assessment plans.
• Opportunities to reuse assessment results from previous assessments to make the risk management process timely and cost-effective are considered.
• Use of automation to conduct control assessments is maximized to increase speed, effectiveness, and efficiency of assessments.
TASK A-4 ASSESSMENT REPORTS	• Security and privacy assessment reports that provide findings and recommendations are completed.
TASK A-5 REMEDIATION ACTIONS	• Remediation actions to address deficiencies in the controls implemented in the system and environment of operation are taken.
• Security and privacy plans are updated to reflect control implementation changes made based on the assessments and subsequent remediation actions. [Cybersecurity Framework: Profile]
TASK A-6 PLAN OF ACTION AND MILESTONES	• A plan of action and milestones detailing remediation plans for unacceptable risks identified in security and privacy assessment reports is developed. [Cybersecurity Framework: ID.RA-6]

As part of the Risk Management Framework, SP 800-37, rev. 2 provides an updated listing of the tasks and guidance for each task during the prosecution of the Assessment Phase.

Figure 7.1. SP 800-53A assessment case flow.