Cybersecurity Assessments confirm the existence of security safeguards and whether those safeguards are functional, correct, complete, and can be improved over time. Several factors affect how a cybersecurity assessment is performed, including how the system is organized and used, the types of threats the system is designed to protect against, and regulatory requirements that affect the information system. A cybersecurity assessment consists of three variables – Methods, Objects, and Attributes. The Assessment Method describes how evidence is obtained and Assessment Objects describe the specific items assessed.
An assessor will use different methods and objects to help facilitate understanding, achieve clarification, and obtain evidence to help support the determination that an information system is adequately protected. NIST 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides lists of potential Assessment Objects for each of the 110 Security Controls in NIST 800-171. Assessment Attributes describe the rigor, level of detail, and sample size used to support the determination that an information system meets regulatory compliance. Generally, more objects and more scrutiny of those objects results in a higher level of confidence in the assessment results.