An independent assessor should know what evidence to look for when evaluating and testing the effectiveness of various security control implementations.

Within that assessment, say a technical control was incorrectly determined by the assessor to be other than satisfied/not implemented.

This could happen for many reasons:

• Inexperience/lack of technical knowledge
• Poor time management/execution
• Unfamiliar with NIST/FIPS and federal regulations and mandates
• Not requesting the right artifacts/limited coordination

As a result, unnecessary weaknesses are noted with the security assessment report (SAR).

Plan of Actions and Milestones (POA&M) are open to address the control weaknesses noted within the SAR.

Leadership are misinformed on inaccurate packages.

Assets are assigned to mitigate the weaknesses.

Inaccurate resource allocation to remediate the false POA&M’s.

Compromised credibility of the remaining security/privacy control assessments.

Unnecessary time and money lost.

This may negatively impact other projects. Potential critical vulnerabilities are overlooked.

Next re-authorization will sometimes refer to previous inaccurate assessments and the snowball continues until your system is selected for audit or exploited.

Certainly, it is true that the cost and time needed will vary significantly, depending on the

complexity and seriousness of the security/privacy risks. However, the costs of fixing a project at the planning stage will be a fraction of those incurred later on.

1. Assessments marked as N/A when it is not, or is marked N/A without a risk based justification of why it is considered N/A. Incorrect control inheriting.
2. Uses “boilerplate” text copied and pasted repeatedly; contains verbiage not directly relevant to describing how the control is implemented.
3. Repeats or rephrases the control requirement instead of describing how it is addressed in the system.
4. Where a single control contains multiple requirements, does not address all requirements.