This is the twelfth of a fourteen piece blog series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems, compliance. This entry covers the controls contained in the Security Assessment Policy and Procedures family.
What is it?
A security assessment is the testing and/or evaluation of the management, operational, and technical security requirements on a system to determine the extent to which the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The assessment also helps determine if the implemented requirements are the most effective and cost-efficient solution for the function they are intended to serve.
Assessment of the security requirements is done on a continuous basis to support a near real-time analysis of the organization’s current security posture. Following a complete and thorough security requirement assessment, the company makes the decision to authorize the system to operate (for a new system) or to continue to operate. Examples of security assessment and authorization requirements include: security assessments, system interconnections, plans of action, continuous monitoring, and system security plans.
Companies should periodically assess the security requirements of company systems to determine if the requirements are effective in their application, develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in company systems, authorize the operation of company systems and any associated system connections, and monitor security requirements on an ongoing basis to ensure the continued effectiveness of the requirements, and document these actions in the System Security Plan.
How does Greenfield solve it?
For technical controls, Greenfield meets Security Assessment by continuously monitoring compliance of the Greenfield environment and providing a dashboard with near-real time indicators of compliance. For non-technical controls, process and people, Greenfield provides the client with appropriately scheduled checklists that feed the dashboard.