Develop, review, and approve plans to assess implemented controls.
Potential Inputs: Security, privacy, and SCRM plans; program management control information; common control documentation; organizational security and privacy program plans; SCRM strategy; system design documentation; supply chain information; enterprise, security, and privacy architecture information; security, privacy, and SCRM policies and procedures applicable to the system.
Expected Outputs: Security and privacy assessment plans approved by the authorizing official.
Primary Responsibility: Authorizing Official or Authorizing Official Designated Representative; Control Assessor.
Supporting Roles: Senior Agency Information Security Officer; Senior Agency Official for Privacy; System Owner; Common Control Provider; Information Owner or Steward; System Security Officer; System Privacy Officer.
System Development Life Cycle Phase: New – Development/Acquisition; Implementation/Assessment. Existing – Operations/Maintenance. Discussion: Security and privacy assessment plans are developed by control assessors based on the implementation information contained in security and privacy plans, program management control documentation, and common control documentation. Organizations may choose to develop a single, integrated security and privacy assessment plan for the system or the organization. An integrated assessment plan delineates roles and responsibilities for control assessment. Assessment plans also provide the objectives for control assessments and specific assessment procedures for each control. Assessment plans reflect the type of assessment the organization is conducting, including for example: developmental testing and evaluation; independent verification and validation; audits, including supply chain; assessments supporting system and common control authorization or reauthorization; program management control assessments; continuous monitoring; and assessments conducted after remediation actions.
Assessment plans are reviewed and approved by the authorizing official or the designated representative of the authorizing official to help ensure that the plans are consistent with the security and privacy objectives of the organization; employ procedures, methods, techniques, tools, and automation to support continuous monitoring and near real-time risk management; and are cost-effective. Approved assessment plans establish expectations for the control assessments and the level of effort for the assessment. Approved assessment plans help to ensure that appropriate resources are applied toward determining control effectiveness while providing the necessary level of assurance in making such determinations. When controls are provided by an external provider through contracts, interagency agreements, lines of business arrangements, licensing agreements, or supply chain arrangements, the organization can request security and privacy assessment plans and assessments results or evidence from the provider.
References: [SP 800-53A]; [SP 800-160 v1] (Verification and Validation Processes); [SP 800-161]; [IR 8011 v1].