RMF Step 4 - Security Control Assessment
Assurance Case
A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.
Penetration Testing
A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.
Coverage
An attribute associated with an assessment method that addresses the scope of the assessment objects included in the assessment (e.g., types of objects to be assessed and the number of objects to be assessed by type). The values hierarchically from less to more are: basic, focused, and comprehensive.
Continuous Monitoring
Maintaining ongoing awareness to support organizational risk decisions.
Assessment Object
The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.
Environment of Operation
The physical surroundings in which an information system processes, stores, and transmits information.
Tailoring (Assessment Procedures)
The process by which assessment procedures defined in Special Publication 800-53A are adjusted, or scoped, to match the characteristics of the information system under assessment, providing organizations with the flexibility needed to meet specific organizational requirements and to avoid overly-constrained assessment approaches.
Security Control Assessment
The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting the security requirements for the system.
Network Sniffing
A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique.
Assessment Procedure
A set of assessment objectives and an associated set of assessment methods and assessment objects.
Internal Security Testing
Security testing conducted from inside the organization's security perimeter.
External Security Testing
Security testing conducted from outside the organization's security perimeter.
Passive Security Testing
Security testing that does not involve any direct interaction with the targets, such as sending packets to a target.
Active Security Testing
Security testing that involves direct interaction with a target, such as sending packets to a target.
Security Control Effectiveness
The measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.
Security Assessment Plan
The objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment.
Root Cause Analysis
A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.
Assessment Objective
A set of determination statements that expressed the desired outcome for the assessment of a security control or control enhancement.
Comprehensive Testing
A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Also known as white box testing.
Basic Testing
A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.
Focused Testing
A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Also known as gray box testing.
Examine
A type of assessment method characterized by checking, inspecting, reviewing, observing, studying, or analyzing assessment objects to facilitate understanding and achieve clarification (or obtain evidence) to support the determination of security control effectiveness over time.
Interview
A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results are used to support the determine of security control effectiveness over time.
Specification
An assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, and architectural designs) associated with an information system.
Activities
An assessment object that includes specific protection related actions supporting an information system that involves people (e.g., conducting system back up operations, monitoring network traffic).
Depth
An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method. The values hierarchically from less to more are: basic, focused, and comprehensive.
Executive Agency
An executive department specified in 5 U.S.C., Section 101; a military department specified in 5 U.S.C., Section 102; an independent establishment as defined in 5 U.S.C., Section 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91
Assessment Findings
Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.
Rules of Engagement (ROE)
Detailed guidelines and constraints regarding the execution of information security testing. The BLANK is established before the start of security test, and gives the test team authority to conduct defined activities without the need for additional permissions.
Assessment Method
One of the three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.
Vulnerability Assessment
Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Supplementation (Assessment Procedures)
The process of adding procedures or details to assessment procedures in order to adequately meet the organization's risk management needs.
