Link Search Menu Expand Document
NIST SP 800-37

ASSESSOR SELECTION

TASK A-1

Select the appropriate assessor or assessment team for the type of control assessment to be conducted.
Potential Inputs: Security, privacy, and SCRM plans; program management control information; common control documentation; organizational security and privacy program plans; SCRM strategy; system design documentation; enterprise, security, and privacy architecture information; security, privacy, and SCRM policies and procedures applicable to the system.
Expected Outputs: Selection of assessor or assessment team responsible for conducting the control assessment.
Primary Responsibility: Authorizing Official or Authorizing Official Designated Representative.
Supporting Roles: Chief Information Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy.
System Development Life Cycle Phase: New – Development/Acquisition; Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: Organizations consider both the technical expertise and level of independence87 required in selecting control assessors.88 Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of program management, system-specific, hybrid, and common controls, as appropriate. This includes general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware components implemented. In organizations where the assessment capability is centrally managed, the senior agency information security officer may have the responsibility of selecting and managing the security control assessors or assessment teams for organizational systems. As controls may be implemented to achieve security and privacy objectives, organizations consider the degree of collaboration between security control and privacy control assessors that is necessary.

Organizations can conduct self-assessments of controls or obtain the services of an independent control assessor. An independent assessor is an individual or group that can conduct an impartial assessment. Impartiality means that assessors are free from perceived or actual conflicts of interest with respect to the determination of control effectiveness or the development, operation, or management of the system, common controls, or program management controls. The authorizing official determines the level of assessor independence based on applicable laws, executive orders, directives, regulations, policies, or standards. The authorizing official consults with the Office of the Inspector General, chief information officer, senior agency official for privacy, and senior agency information security officer to help guide and inform decisions regarding assessor independence.

The system privacy officer is responsible for identifying assessment methodologies and metrics to determine if privacy controls are implemented correctly, operating as intended, and sufficient to ensure compliance with applicable privacy requirements and manage privacy risks. The senior agency official for privacy is responsible for conducting assessments of privacy controls and documenting the results of the assessments. At the discretion of the organization, privacy controls may be assessed by an independent assessor. However, in all cases, the senior agency official for privacy is responsible and accountable for the organization’s privacy program, including any privacy functions performed by independent assessors. The senior agency official for privacy is responsible for providing privacy information to the authorizing official.

References: [FIPS 199]; [SP 800-30]; [SP 800-53A]; [SP 800-55].

87 In accordance with [OMB A-130], an independent evaluation of privacy program and practices is not required. However, an organization may choose to employ independent privacy assessments at the organization’s discretion.

88 Some organizations may select control assessors prior to the RMF Assess step to support control assessments at the earliest opportunity during the system life cycle. Early identification and selection of assessors allows organizations to plan for the assessment activities, including agreeing on the scope of the assessment. Organizations implementing a systems security engineering approach may also benefit from early selection of assessors to support verification and validation activities that occur throughout the system life cycle.