Within Section 3, Information System Security Assessments, it states that "...many contractors operating in the commercial marketplace already receive a variety of independent assessments to protect other data and these should inform an ATO process that meets NIST standards and guidelines."
We agree that agencies should accept, to the extent possible, the results of other assessments and certifications. Many of the common, industry accepted certifications (e.g., PCI DSS, ISO 27001, SOC Reports, etc.) have a great deal of overlap with NIST SP 800-53 security controls, and demonstrate a commitment to, and execution of, information security best practices.
However, this guidance does not provide much detail on the extent to which agencies may leverage existing assessments. Please provide clarification on what exactly is meant by "...these should inform an ATO process that meets NIST standards and guidelines." The ability to utilize pre-existing assessments and certifications in the Security Assessment & Authorization (SA&A) process would reduce the burden on both government and industry, and any additional guidance here would be greatly appreciated.
Within Section 3, Information System Security Assessments, it states that "...many contractors operating in the commercial marketplace already receive a variety of independent assessments to protect other data and these should inform an ATO process that meets NIST standards and guidelines."
We agree that agencies should accept, to the extent possible, the results of other assessments and certifications. Many of the common, industry accepted certifications (e.g., PCI DSS, ISO 27001, SOC Reports, etc.) have a great deal of overlap with NIST SP 800-53 security controls, and demonstrate a commitment to, and execution of, information security best practices.
However, this guidance does not provide much detail on the extent to which agencies may leverage existing assessments. Please provide clarification on what exactly is meant by "...these should inform an ATO process that meets NIST standards and guidelines." The ability to utilize pre-existing assessments and certifications in the Security Assessment & Authorization (SA&A) process would reduce the burden on both government and industry, and any additional guidance here would be greatly appreciated.