Link Search Menu Expand Document
NIST SP 800-37

ASSESSMENT REPORTS

TASK A-4

Prepare the assessment reports documenting the findings and recommendations from the control assessments.
Potential Inputs: Completed control assessments and associated assessment evidence.
Expected Outputs: Completed security and privacy assessment reports detailing the assessor findings and recommendations.
Primary Responsibility: Control Assessor.
Supporting Roles: System Owner; Common Control Provider; System Security Officer; System Privacy Officer. System Development Life Cycle Phase: New – Development/Acquisition; Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: The results of the security and privacy control assessments, including recommendations for correcting deficiencies in the implemented controls, are documented in the assessment reports92 by control assessors. Organizations may develop a single, integrated security and privacy assessment report. Assessment reports are key documents in the system or common control authorization package that is developed for authorizing officials. The assessment reports include information based on assessor findings, necessary to determine the effectiveness of the controls implemented within or inherited by the information system. Assessment reports are an important factor in a determining risk to organizational operations and assets, individuals, other organizations, and the Nation by the authorizing official. The format and the level of detail provided in assessment reports are appropriate for the type of control assessment conducted, for example, developmental testing and evaluation; independent verification and validation; independent assessments supporting information system or common control authorizations or reauthorizations; self-assessments; assessments after remediation actions; independent evaluations or audits; and assessments during continuous monitoring. The reporting format may also be prescribed by the organization.

Control assessment results obtained during the system development lifecycle are documented in an interim report and included in the final security and privacy assessment reports. Development of interim reports that document assessment results from relevant phases of the SDLC reinforces the concept that assessment reports are evolving documents. Interim reports are used, as appropriate, to inform the final assessment report. Organizations may choose to develop an executive summary from the control assessment findings. The executive summary provides authorizing officials and other interested individuals in the organization with an abbreviated version of the assessment reports that includes a synopsis of the assessment, findings, and the recommendations for addressing deficiencies in the controls.

References: [SP 800-53A]; [SP 800-160 v1] (Verification and Validation Processes).

92 If a comparable report meets the requirements of what is to be included in an assessment report, then the comparable report would itself constitute the assessment report.