Conduct initial remediation actions on the controls and reassess remediated controls.
Potential Inputs: Completed security and privacy assessment reports with findings and recommendations; security and privacy plans; security and privacy assessment plans; organization- and system-level risk assessment results.
Expected Outputs: Completed initial remediation actions based on the security and privacy assessment reports; changes to implementations reassessed by the assessment team; updated security and privacy assessment reports; updated security and privacy plans including changes to the control implementations.
Primary Responsibility: System Owner; Common Control Provider; Control Assessor.
Supporting Roles: Authorizing Official or Authorizing Official Designated Representative; Senior Agency Information Security Officer; Senior Agency Official for Privacy; Senior Accountable Official for Risk Management or Risk Executive (Function); Information Owner or Steward; Systems Security Engineer; Privacy Engineer; System Security Officer; System Privacy Officer.
System Development Life Cycle Phase: New – Development/Acquisition; Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: The security and privacy assessment reports describe deficiencies in the controls that could not be resolved during the development of the system or that are discovered post-development. Such control deficiencies may result in security and privacy risks (including supply chain risks). The findings generated during control assessments, provide information that facilitates risk responses based on organizational risk tolerance and priorities. The authorizing official, in consultation and coordination with system owners and other organizational officials, may decide that certain findings represent significant, unacceptable risk and require immediate remediation actions. Additionally, it may be possible and practical to conduct initial remediation actions for assessment findings that can be quickly and easily remediated with existing resources.
If initial remediation actions are taken, assessors reassess the controls. The control reassessments determine the extent to which remediated controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization. The assessors update the assessment reports with the findings from the reassessment, but do not change the original assessment results. The security and privacy plans are updated based on the findings of the control assessments and any remediation actions taken. The updated plans reflect the state of the controls after the initial assessment and any modifications by the system owner or common control provider in addressing recommendations for corrective actions. At the completion of the control assessments, security and privacy plans contain an accurate description of implemented controls, including compensating controls.
Organizations can prepare an addendum to the security and privacy assessment reports that provides an opportunity for system owners and common control providers to respond to initial assessment findings. The addendum may include, for example, information regarding initial remediation actions taken by system owners or common control providers in response to assessor findings. The addendum can also provide the system owner or common control provider perspective on the findings. This may include providing additional explanatory material, rebutting certain findings, and correcting the record. The addendum does not change or influence the initial assessor findings provided in the reports. Information provided in the addendum is considered by authorizing officials when making risk-based authorization decisions. Organizations implement a process to determine the initial actions to take regarding the control deficiencies identified during the assessment. This process can address vulnerabilities and risks, false positives, and other factors that provide useful information to authorizing officials regarding the security and privacy posture of the system and organization including the ongoing effectiveness of system-specific, hybrid, and common controls. The issue resolution process can also ensure that only substantive items are identified and transferred to the plan of actions and milestones.
Findings from a system-level control assessment may necessitate an update to the system risk assessment and the organizational risk assessment.93 The updated risk assessments and any inputs from the senior accountable official for risk management or risk executive (function) determines the initial remediation actions and the prioritization of those actions. System owners and common control providers may decide, based on a system or organizational risk assessment, that certain findings are inconsequential and present no significant security or privacy risk. Such findings are retained in the security and privacy assessment reports and monitored during the monitoring step. The authorizing official is responsible for reviewing and understanding the assessor findings and for accepting the security and privacy risks (including any supply chain risks) that result from the operation the system or the use of common controls.
In all cases, organizations review assessor findings to determine the significance of the findings and whether the findings warrant any further investigation or remediation. Senior leadership involvement in the mitigation process is necessary to ensure that the organization’s resources are effectively allocated in accordance with organizational priorities—providing resources to the systems that are supporting the most critical missions and business functions or correcting the deficiencies that pose the greatest risk.
References: [SP 800-53A]; [SP 800-160 v1] (Verification and Validation Processes).
93 Risk assessments are conducted as needed at the organizational level, mission/business level, and at the system level throughout the SDLC. Risk assessment is specified as part of the RMF Prepare-Organization Level step, Task P-3 and RMF Prepare-System Level step, Task P-14.