Requirement text: CA.2.158: Periodically assess the security controls in organizational systems to
determine if the controls are effective in their application.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations assess security controls in organizational systems and the environments in
which those systems operate as part of the system development life cycle. Security controls
are the safeguards or countermeasures organizations implement to satisfy security
requirements. By assessing the implemented security controls, organizations determine if
the security safeguards or countermeasures are in place and operating as intended. Security
control assessments ensure that information security is built into organizational systems;
identify weaknesses and deficiencies early in the development process; provide essential
information needed to make risk-based decisions; and ensure compliance to vulnerability
mitigation procedures. Assessments are conducted on the implemented security controls as
documented in system security plans.
Security assessment reports document assessment results in sufficient detail as deemed
necessary by organizations, to determine the accuracy and completeness of the reports and
whether the security controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting security requirements. Security
assessment results are provided to the individuals or roles appropriate for the types of
assessments being conducted.
Organizations ensure that security assessment results are current, relevant to the
determination of security control effectiveness, and obtained with the appropriate level of
assessor independence. Organizations can choose to use other types of assessment activities
such as vulnerability scanning and system monitoring to maintain the security posture of
systems during the system life cycle.
NIST SP 800-53 provides guidance on security and privacy controls for systems and
organizations. SP 800-53A provides guidance on developing security assessment plans and
conducting assessments.
CMMC CLARIFICATION
As organizations implement security controls, they should avoid a “set it and forget it”
mentality. The security landscape is constantly changing. Reassess existing controls at
periodic intervals in order to validate their usefulness in organizational systems. This will
let you determine if the control is still meeting the needs of the organization. Set the
assessment schedule according to organizational needs. Consider regulatory obligations and
internal policies when assessing the controls.
Typical outputs of the practice include:
• documented assessment results;
• proposed new controls, or updates to existing controls;
• remediation plans; and
• new identified risks.
Example
You are in charge of IT operations in your company. You ensure that security controls are
achieving their objectives. After you implement the controls, you monitor their performance.
You should perform this review as often as necessary to meet:
• your organization’s risk planning needs; and
• any regulations or policies you must follow.
When you assess the controls, document what you find. When you find your controls are not
meeting your requirements, you should act and make changes. You can:
• propose updated or new controls;
• develop a plan to improve the control; and
• document new risks that you find.
You should also document these actions.
References
• NIST SP 800-171 Rev 1 3.12.1
• NIST CSF v1.1 DE.DP-3
• NIST SP 800-53 Rev 4 CA-2