3.5 ASSESS
Purpose
The purpose of the Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.
ASSESS TASKS
Table 6 provides a summary of tasks and expected outcomes for the RMF Assess step. Applicable Cybersecurity Framework constructs are also provided.
TABLE 6: ASSESS TASKS AND OUTCOMES
Tasks | Outcomes | |||
TASK A-1 ASSESSOR SELECTION | • An assessor or assessment team is selected to conduct the control assessments. • The appropriate level of independence is achieved for the assessor or assessment team selected. | |||
TASK A-2 ASSESSMENT PLAN | • Documentation needed to conduct the assessments is provided to the assessor or assessment team. • Security and privacy assessment plans are developed and documented. • Security and privacy assessment plans are reviewed and approved to establish the expectations for the control assessments and the level of effort required. | |||
TASK A-3 CONTROL ASSESSMENTS | • Control assessments are conducted in accordance with the security and privacy assessment plans. • Opportunities to reuse assessment results from previous assessments to make the risk management process timely and cost-effective are considered. • Use of automation to conduct control assessments is maximized to increase speed, effectiveness, and efficiency of assessments. | |||
TASK A-4 ASSESSMENT REPORTS | • Security and privacy assessment reports that provide findings and recommendations are completed. | |||
TASK A-5 REMEDIATION ACTIONS | • Remediation actions to address deficiencies in the controls implemented in the system and environment of operation are taken. • Security and privacy plans are updated to reflect control implementation changes made based on the assessments and subsequent remediation actions. [Cybersecurity Framework: Profile] | |||
TASK A-6 PLAN OF ACTION AND MILESTONES | • A plan of action and milestones detailing remediation plans for unacceptable risks identified in security and privacy assessment reports is developed. [Cybersecurity Framework: ID.RA-6] |
Quick link to summary table for RMF tasks, responsibilities, and supporting roles.
Table of contents
- • ASSESSOR SELECTION, TASK A-1
- • ASSESSMENT PLAN, TASK A-2
- • CONTROL ASSESSMENTS, TASK A-3
- • ASSESSMENT REPORTS, TASK A-4
- • REMEDIATION ACTION, TASK A-5
- • PLAN OF ACTION AND MILESTONES, TASK A-6