Security assessment plan rmf

Assessment Architecture
Security Assessment Plan (SAP)
System Name: Student Name
Section 1.1 - Provide a complete list of hardware consistent with the architecture diagram. List each asset/host individually by hostname or unique identifier.
Baseline Hardware List
Device Name (Unique Identifier) Manufacturer Model Number Firmware / OS Purpose Optional Field: might include fields such as Building and Room, IP, Approval Status (using DISA approved HW list, Common Criteria certification, etc.)
Router1 Cisco ISR 4221 15.5 Perimeter Router
*ADD ROWS AS NEEDED*
Section 1.2 - Provide testable software components, such as IA-enabled applications and operating systems.
Baseline Software List
Manufacturer Name Version Function Optional Field: might include fields such as Licence Expiration, Approval Status (using DISA approved SW list, Common Criteria certification, etc.)
Adobe Acrobat Pro Acrobat 19.010.20069 Document Creation
*ADD ROWS AS NEEDED*
Section 1.3 - Provide a copy of the architecture diagram and complete the assessment location fields. [Text] is provided as sample content only, replace with system-specific content.
Not required for Assignment: Architecture / Assessment Boundary Diagrams Assessment Location
Embed (or provide separately) a copy of the architecture diagram used to develop this SAP. Do not reference an architecture diagram uploaded in eMASS as eMASS artifacts can be changed over time and, if changed, may invalidate this SAP. Changes to the architecture diagram require an update to the SAP and may require additional SCA review and approval. Consult the assigned SCA Liaison as needed. Embed Diagram Here: Location(s) Environment Type (Dropdown)
Instructions: 1. Click on this cell 2. Choose 'Insert Object' 3. Use the 'Create From File' tab and locate file 4. Check the box 'Display as Icon' 5. Click 'OK'
Assessment Methods
RMF SAP Continued
Section 2.0 - Complete all fields in this tab, ensuring consistency with the 'Assessment Architecture' tab.
Section 2.1 - List each assessment method that will be executed as part of the Security Assessment Plan in the "Test Battery" column. List all hosts with the method that will be used to assess in the "Test Target" column; this field should include every target hostname, whenever applicable. Include the verification method that will be used by the validator and how the results/output will be captured in the corresponding fields.
Requirements Traceability
Test Battery Test Target (Component, Software, Technology, or Policy) Verification Method (E) Examine, (I) Interview, (T) Test Output
NIST SP 800-53A Rev4 Security Controls Assessment Procedures for L – L – L System E, I, T Procedures and results will be captured in spreadsheet for each applicable security control assessment procedure
Assured Compliance Assessment Solution (ACAS) Vulnerability scan(s) All assets T Results will be provided in nessus file
Traditional Security Technical Implementation Guide (STIG) system E,I,T STIG Viewer .ckl results will be provided
Enclave Testing Security Technical Implementation Guide (STIG) System E, I STIG Viewer .ckl results will be provided
Network Perimeter Router L3 Switch STIG - Ver 8, Rel 32 Router1 E, I, T STIG Viewer .ckl results will be provided
Firewall SRG - Ver 1, Rel 3 Firewall1 E, I, T STIG Viewer .ckl results will be provided
Network Layer 2 Switch STIG - Ver 8, Rel 27 Switch01, Switch02 E, I, T STIG Viewer .ckl results will be provided
*ADD ROWS AS NEEDED*
Assessment Personnel & Schedule
RMF SAP Continued
Section 3.0 - Complete all fields in this tab
Section 3.1 - Provide a list of assigned personnel.
Assessment Personnel
Title Name Telephone Email Address
Program Manager
Validator
Site/Program ISSM
ISSE
System Administrator
*ADD ROWS AS NEEDED*
Section 3.2 - Provide a schedule of assessment activities. [Text] is provided as sample content only, replace with system-specific content. Events can be modified as needed for each system and are provided only as suggestions.