U.S. Department of Health and Human Services
Security Controls Assessment is the independent verification and validation of both technical and non-technical controls during the security authorization process. Technical controls include those system configurations and features designed within the system, such as identification and authorization, audit, and operating system security policies. An Security Controls Assessment Plan documents the management, operational, and technical components to be tested, and outlines the approach used throughout the test.
The information in a ST&E verifies findings of the initial risk assessment and is documented in a Security Assessment Report (SAR). The purpose of the SAR is to document any identified vulnerabilities and outline security risks associated with each. Upon completion of the SAR, the system’s Risk Assessment is updated.
Page 7 of 9
Implementation & Assessment Phase
Security Controls Assessment