Security Test & Evaluation (ST&E) Plan

The ST&E will address the organization‘s confidentiality, integrity, and availability requirements that provide the necessary protections for the identified within the system’s boundary.

The ST&E Test Plan Matrix or Security Requirements Traceability Matrix (SRTM) contains:

▪NIST SP 800-53 Control type

▪NIST SP 800-53 Control number

▪NIST SP 800-53 Case number

▪NIST SP 800-53 Control technology

▪Sample Size

▪Test Case(s) (the specific step-by-step procedures for testing the security control)

▪Expected result(s) (contains the expected results of the execution of the test cases)

▪Interviewee (Point of contact responsible for answering test cases)

▪Actual result(s)(contains the actual results received from the execution of the test cases)

▪Pass/Fail

▪Comments (contains the ST&E Execution Team specific comments that pertain to the security control)

▪Collected evidence for each control

▪Tester for each control

Know Test Cases

The NIST SP 800-53 security  controls  (managerial,  operational,  and  technical) are verified to ensure conformity to organization configuration requirements and are developed as test cases in this document. The test cases provide the steps for examining each critical component of the system, and define how each security control is implemented.

 The test cases specify  the  actions  required  to  perform  the  test  on  each component, and are implemented by a manual checklist or automated tool.The ST&E Test Plan matrix contains the set of test cases used to conduct the ST&E. Some test cases are non-technical in nature, and will require information gathered through interviews or documentation examination instead of hands-on technical testing.

In cases where the actual results do not match the expected results of a test case, the ST&E Execution Team will inquire about existing exceptions for that control. Exceptions not already collected by the C&A Team, will be collected by the ST&E Execution Team.

Supporting Evidence

Indirect or direct information obtained to support the implementation ofa specific security control will be documented and retained as supporting evidence.

The ST&E Test Plan is populated with the step-by-step cases for testing the applicable NIST SP 800-53 security controls as described in the SSP. In addition, during the ST&E execution process, the ST&E Test Plan is populated with the results of the testing for each security control tested. This following sections describe the format/content of the ST&E Test Plan and also discusses sample sizes and utilization of existing test results.