1
1

00:00:00,000  -->  00:00:02,460
<v ->Now that your controls are implemented,</v>
2

2

00:00:02,460  -->  00:00:03,660
you'll have to assess them
3

3

00:00:03,660  -->  00:00:06,090
to make sure they're correctly configured,
4

4

00:00:06,090  -->  00:00:08,280
operating as you intended,
5

5

00:00:08,280  -->  00:00:11,970
and producing the needed outcomes for your system.
6

6

00:00:11,970  -->  00:00:15,660
There are six tasks in step number five,
7

7

00:00:15,660  -->  00:00:18,360
and this step is called assess.
8

8

00:00:18,360  -->  00:00:21,360
Now, let's go through the tasks together.
9

9

00:00:21,360  -->  00:00:23,670
When you complete task A-1,
10

10

00:00:23,670  -->  00:00:26,790
you'll have an assessor or an assessment team
11

11

00:00:26,790  -->  00:00:29,670
selected to evaluate your controls.
12

12

00:00:29,670  -->  00:00:31,440
No matter who does step number five,
13

13

00:00:31,440  -->  00:00:34,770
your senior security and privacy officers
14

14

00:00:34,770  -->  00:00:37,440
will be responsible for making sure the assessments
15

15

00:00:37,440  -->  00:00:40,050
are complete and documented.
16

16

00:00:40,050  -->  00:00:42,360
As you select your assessors,
17

17

00:00:42,360  -->  00:00:43,860
keep in mind that they must have
18

18

00:00:43,860  -->  00:00:46,050
enough feelings of independence
19

19

00:00:46,050  -->  00:00:48,840
to be able to make truthful judgements.
20

20

00:00:48,840  -->  00:00:50,760
Among other factors in play,
21

21

00:00:50,760  -->  00:00:52,620
their level of independence will be affected
22

22

00:00:52,620  -->  00:00:57,620
by whether your assessors are in-house versus contracted.
23

23

00:00:57,810  -->  00:01:00,420
Now, when you complete task A-2,
24

24

00:01:00,420  -->  00:01:04,290
you'll have developed, reviewed, and approved the plans
25

25

00:01:04,290  -->  00:01:07,620
that you'll follow to assess your controls.
26

26

00:01:07,620  -->  00:01:10,860
Now, these plans should be created by the assessors
27

27

00:01:10,860  -->  00:01:13,920
that you selected in task A-1.
28

28

00:01:13,920  -->  00:01:15,660
They can make a plan for the assessment
29

29

00:01:15,660  -->  00:01:18,150
that is either a single integrated plan
30

30

00:01:18,150  -->  00:01:21,420
for both security and privacy controls,
31

31

00:01:21,420  -->  00:01:25,770
or they can be two plans, one for each category.
32

32

00:01:25,770  -->  00:01:28,140
Assessment plans should also include an evaluation
33

33

00:01:28,140  -->  00:01:29,820
of the control objectives
34

34

00:01:29,820  -->  00:01:33,870
and the assessment procedures for each control.
35

35

00:01:33,870  -->  00:01:36,450
Once the assessment plans are created,
36

36

00:01:36,450  -->  00:01:38,700
they should be reviewed and approved
37

37

00:01:38,700  -->  00:01:40,980
by the authorizing official.
38

38

00:01:40,980  -->  00:01:43,950
Your next task is A-3.
39

39

00:01:43,950  -->  00:01:45,120
When it's finished,
40

40

00:01:45,120  -->  00:01:47,760
your controls assessment will be complete,
41

41

00:01:47,760  -->  00:01:51,270
and you'll have evidence that the assessments happened.
42

42

00:01:51,270  -->  00:01:53,760
It might be appropriate to apply and assess controls
43

43

00:01:53,760  -->  00:01:56,190
throughout your system development life cycle
44

44

00:01:56,190  -->  00:01:59,340
if you have an iterative development process.
45

45

00:01:59,340  -->  00:02:02,550
Something similar is done when assessing controls
46

46

00:02:02,550  -->  00:02:04,890
in commercial IT products.
47

47

00:02:04,890  -->  00:02:07,110
You'll also have the option to begin assessing controls
48

48

00:02:07,110  -->  00:02:09,240
prior to finishing the implementation
49

49

00:02:09,240  -->  00:02:12,960
of all the controls in your security and privacy plans.
50

50

00:02:12,960  -->  00:02:14,910
This type of incremental assessment
51

51

00:02:14,910  -->  00:02:19,170
might be more cost efficient or cost effective for you.
52

52

00:02:19,170  -->  00:02:21,330
When you finish task A-4,
53

53

00:02:21,330  -->  00:02:24,210
you'll have security and privacy assessment reports
54

54

00:02:24,210  -->  00:02:29,210
that detail all the assessor's findings and recommendations.
55

55

00:02:29,250  -->  00:02:32,100
The amount of detail in the report should be appropriate
56

56

00:02:32,100  -->  00:02:35,100
to the type of control assessment that was conducted.
57

57

00:02:35,100  -->  00:02:39,300
Superficial assessment reports may be questioned or rejected
58

58

00:02:39,300  -->  00:02:41,670
by the authorizing official.
59

59

00:02:41,670  -->  00:02:44,310
Control assessment results can be documented
60

60

00:02:44,310  -->  00:02:46,440
in interim reports.
61

61

00:02:46,440  -->  00:02:49,380
Having interim reports for different assessments
62

62

00:02:49,380  -->  00:02:52,140
during phases of the SDLC,
63

63

00:02:52,140  -->  00:02:54,900
reinforces the fact that assessment reports
64

64

00:02:54,900  -->  00:02:58,560
are in fact evolving documents.
65

65

00:02:58,560  -->  00:03:01,290
Your interim reports then inform
66

66

00:03:01,290  -->  00:03:04,050
the final assessment report.
67

67

00:03:04,050  -->  00:03:09,050
Your next task, A-5, begins the remediation actions.
68

68

00:03:09,300  -->  00:03:10,950
By the end of task A-5,
69

69

00:03:10,950  -->  00:03:14,100
you'll have completed your initial remediations
70

70

00:03:14,100  -->  00:03:17,880
based on your security and privacy assessment reports.
71

71

00:03:17,880  -->  00:03:19,890
Then, you'll update your original reports
72

72

00:03:19,890  -->  00:03:22,500
to include any changes that you made
73

73

00:03:22,500  -->  00:03:25,170
to the control implementations.
74

74

00:03:25,170  -->  00:03:27,990
If significant security or privacy risks
75

75

00:03:27,990  -->  00:03:30,030
are discovered during the assessment,
76

76

00:03:30,030  -->  00:03:32,940
then those should be mitigated as soon as possible.
77

77

00:03:32,940  -->  00:03:36,270
Less severe risks that are quick and easy to mitigate
78

78

00:03:36,270  -->  00:03:37,620
can be done later.
79

79

00:03:37,620  -->  00:03:39,720
However, it may be more practical
80

80

00:03:39,720  -->  00:03:42,750
to conduct initial mitigations for assessment findings
81

81

00:03:42,750  -->  00:03:46,053
that are easy to fix with existing resources.
82

82

00:03:46,980  -->  00:03:49,050
Your organization can prepare an addendum
83

83

00:03:49,050  -->  00:03:52,260
to your security and privacy assessment reports
84

84

00:03:52,260  -->  00:03:53,400
that provides an opportunity
85

85

00:03:53,400  -->  00:03:56,310
for system owners and control providers
86

86

00:03:56,310  -->  00:03:58,410
to respond to your assessment.
87

87

00:03:58,410  -->  00:04:00,390
This addendum could have information
88

88

00:04:00,390  -->  00:04:02,580
about initial mitigation actions
89

89

00:04:02,580  -->  00:04:05,730
and additional details about the findings.
90

90

00:04:05,730  -->  00:04:08,130
Findings from control assessments may lead
91

91

00:04:08,130  -->  00:04:11,730
to needing an update to your system risk assessment
92

92

00:04:11,730  -->  00:04:15,210
and your organization risk assessment as well.
93

93

00:04:15,210  -->  00:04:17,880
Your next task is A-6,
94

94

00:04:17,880  -->  00:04:19,170
and when you finish it,
95

95

00:04:19,170  -->  00:04:21,990
you'll have a plan of action and milestones
96

96

00:04:21,990  -->  00:04:24,810
that's also known as a POAM,
97

97

00:04:24,810  -->  00:04:27,870
and it'll show you how to mitigate the deficiencies
98

98

00:04:27,870  -->  00:04:30,000
that are contained in the security
99

99

00:04:30,000  -->  00:04:32,820
and privacy assessment reports.
100

100

00:04:32,820  -->  00:04:34,710
Your POAM will describe the actions
101

101

00:04:34,710  -->  00:04:37,020
that are planned to correct the deficiencies
102

102

00:04:37,020  -->  00:04:38,310
in your controls
103

103

00:04:38,310  -->  00:04:41,190
that were discovered during the assessment of the controls,
104

104

00:04:41,190  -->  00:04:44,340
as well as during continuous monitoring.
105

105

00:04:44,340  -->  00:04:48,270
A POAM also includes the tasks to be accomplished,
106

106

00:04:48,270  -->  00:04:49,950
recommendations for completion
107

107

00:04:49,950  -->  00:04:53,280
before or after system authorization,
108

108

00:04:53,280  -->  00:04:56,400
the resources required to accomplish the tasks,
109

109

00:04:56,400  -->  00:04:59,460
milestones established to meet the task,
110

110

00:04:59,460  -->  00:05:01,350
and scheduled completion dates
111

111

00:05:01,350  -->  00:05:04,260
for the milestones and the tasks.
112

112

00:05:04,260  -->  00:05:08,550
All right, that's all the tasks in step number five
113

113

00:05:08,550  -->  00:05:10,871
which is called assess.