As the assessment progresses, SteelToad’s assessment staff will continuously review and record findings. As we are following the guidelines in NIST 800-53A, we want all stakeholders to comprehend the scope methodology, and overall process our team engages for the assessment. SteelToad understands how beneficial it is for our team to communicate clearly and for our team and the organization we are assessing to have clear and accurate expectations. We understand how to communicate the assessment procedures, definitions, expectations, and objectives, to ensure the highest opportunity for an accurate evaluation (artifacts that exist are collected and presented, and SteelToad communicates and evaluates accurately).
Our team has found the outcome of a well-communicated assessment process (before/during/after the assessment) is the best chance for identifying areas of compliance and areas of risk.
SteelToad assessors will use the 800-53 spreadsheet template to document each security control reviewed to identify alignment, artifacts, findings, and recommendations. Furthermore, SteelToad will meet with stakeholders to present the findings, as well as provide an executive briefing.
Our deliverables include:
- All the baseline security controls have been assessed, per the Assessment Plan objective level (Low/Medium/High).
- The security control workbook is complete, accurate, and thorough.
- All findings in the system, as it aligns, are identified and understood.
- Rationale is provided for findings, with clear documentation.
- Assessment findings are identified as:
- MET
- NOT MET
- N/A
- The evidence provided is adequate, sufficient and complete for each security control characterization.
- In areas where conflict may occur, SteelToad has clarified and communicated the issue to resolve.
- Questions have been answered and communication has occurred throughout the assessment.
