The U.S. Department of Commerce’s National Institutes of Standards and Technology (NIST)’s Special Publication 800-53A revision 4 (PDF) released in December 2014 outlines what Senior Information Systems Security Officers (ISSOs) and Information Systems Owners (ISOs) need to do in order to comply with US federal laws, Executive Orders, policies, regulations, and standards on security controls. It sets the standard for the structure of security controls.

The structure is organized around the following 18 families of security controls.

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Security Assessment and Authorization
  5. Configuration Management
  6. Contingency Planning
  7. Identification and Authentication
  8. Incident Responses
  9. Maintenance
  10. Media Protection
  11. Physical and Environment Protection
  12. Planning
  13. Personnel Security
  14. Risk Assessment
  15. System and Services Acquisition
  16. System and Communications Protection
  17. System and Information Integrity
  18. Program Management

Each security control breaks into members of the family. Some members are a part of the policy, manual processes, or human intervention; other family members are automated mechanisms generated by the information system server, operating system, or another device.

An example

Audit Generation is a family member of the Audit and Accountability security control. The automatic feature of Audit Generation should be tested with a Platform as a Service (PaaS). Before you start testing, you should use the Risk Management Framework (RMF), which has six steps.

Prepare for the testing: Steps one, two, and three

Step one: The ISO usually categorizes an information system (procurement, personnel, or engineering). Proper categorization helps the Senior ISSO determine what security controls are needed for the information system.

Step two: The Senior ISSO selects appropriate family members of security controls for the information system. They should satisfy user expectations, business requirements, and regulatory compliance.

Step three: The Senior ISSO implements security controls for the information system. She should ensure the design and development for the controls are documented in an appropriate format.

Start testing: Step four

The Senior ISSO assesses security controls, including testing Audit Generation with a PaaS. One example of an audit tool generated by an information system is a log file. The sys admin of the information system is the only person who has access to all log data.

The Senior ISSO should ensure the sys admin turns on verbose features of the log file, and the log file is recorded chronically. Then, the Senior ISSO queries the sys admin on the information system’s audit capability and the roles assigned to users working with the system.

In a simple scenario, a worker may have access to limited log data in a human-readable format. He sees the timestamps of the files he creates and modifies; he can’t view the timestamps of the files other workers create and modify.

In another example, a branch manager has access to additional log data. He can view the timestamps of the files all workers accountable to him create and modify. He can’t view log data on the system files that an operating system runs.

When the log file is too difficult to read, a computer program should be available that can transform complex data into human-readable format the ISSO can analyze. The only person authorized to run the computer program is the sys admin. This type of application should be tested with a PaaS to make sure the desired results in different scenarios closely correlate with the expected results.

The test results the Senior ISSO in coordination with the auditor will desire should include:

  • The number of users who have concurrently accessed the same files;
  • The type of security credentials the users have (e.g., do they have secret or top secret clearance?);
  • The websites users have visited, and how often they visited them;
  • The names of files or applications they have downloaded from a site (are they business-related?);
  • The dates the users sent emails and the recipients’ names; and
  • The number of attempts a user with improper security credentials tried to log on.

Monitor the test results: Steps five and six

When the Senior ISSO is finished with testing security controls, she should ensure the positive test results are included in the documentation. These documents are needed to justify authorization for an information system to operate when the Senior ISSO proceeds to step five of the RMF. If the test results are not good, the ISSO or her superior should issue an Interim Authorization To Operate.

For information systems that have been authorized to operate, the ISSO or the ISO should go to the RMF’s step six and monitor security controls. The ISSO determines whether they need to be replaced with newer, more efficient security controls for less money.


When you need to test aspects of security controls that are automated features of an information system, your best bet is to use a PaaS. Remember to make sure the test results are continuously monitored after the information system is authorized to operate.