Agencies must plan for security, ensure that the appropriate officials are assigned security responsibility and trained accordingly, review security controls, and authorize system processing prior to operations and periodically thereafter. These management responsibilities presume that responsible agency officials understand the risks and other factors that could negatively impact their mission goals. Moreover, these officials must understand the current status of their information security program and system-level security controls in order to make informed judgments and investments that appropriately mitigate risks to an acceptable level.

An assessment is one method agency officials can employ to help determine the current status of their information systems and agency-wide information security program. Ideally, assessments of selected security controls on an ongoing basis should be conducted to systematically identify programmatic weaknesses and where necessary, establish targets for continuing improvement. This document provides a standardized form for reporting the results of system-level assessments and a method for evaluating the effectiveness of an agency information security program. Additionally, the document provides guidance on utilizing the results of the information security program and system assessments to ascertain the status of the agency-wide information security program.