Description
Background
Once you have a plan for your controls, your authorizing official will grant you an Interim Approval To Test (IATT). Step-4 (Assess) in the Risk Management Framework then provides you a means to test and self-evaluate whether or not the implementation plans meet security control requirements. In best practice, a 3rd-party assessor will do the same to eliminate conflicts of interest. All results along with a plan of action and milestones (RMF step-5) will be provided to an authorizing official, who will decide to accept remaining security risks or request additional security measures.
Deliverables
Reminder: Assume you are using your home computer for work, connecting to the company network through a Virtual Private Network (VPN).
Sensitive Information Warning: It is critical that you do not disclose any vulnerabilities for real-world company networks.
Time Sensitivity Warning: As mentioned above, this spreadsheet contains 551 security controls to assess. Please budget your time accordingly.
1) Primary Artifacts: Copy your implementation plans (Column E) from your previous assignment into Implementation (Column E) of the attached spreadsheet. Assess each control, and use Column F to mark controls as "Pass" or "Fail". This is a binary result; only use Pass or Fail as your input within this column. For Non-applicable (N/A) responses in Column-E, mark them as "Pass". Document reasons for failed controls in Column G. Completing the spreadsheet in this manner will allow you to filter your table and quickly gather data required for next week's assignment.
Tip-1: Over time I have found it's easiest to initially set all controls in Column F to "Pass", and then focus on just the controls that fail. Column G does not need notes for controls that pass.
Tip-2: NIST 800-53A (Unit 4 assigned reading) can help you with testing procedures if needed.
2) Secondary Artifacts: Find a vulnerability scanner online and run a scan on your system (let your instructor know if you are restricted to a public or government computer, where this step would not be permissible). Update security controls CA-2, RA-5, SI-2, and any other controls that may be affected by the results of your scan.