The cybersecurity role I chose from NIST 800-12 was the security control assessor. This position is an individual, group, or organization responsible for conducting a comprehensive assessment of the managerial, operational, and technical security controls and control enhancements employed within or inherited by a system to determine the overall effectiveness of the controls (NIST, 2019). For example, the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system are ways of determining the effectiveness of the controls (NIST, 2019). Personnel in this role typically have a B.S. in information technology, cybersecurity, or related field, have on-the-job qualification requirements, and must complete professional development training throughout their career (DoD, n.d.).

Security control assessors’ main roles include providing assessments to identify weaknesses or deficiencies in a system and its environment of operation; recommending corrective actions to address identified vulnerabilities; and preparing security assessment reports containing the results and findings from the assessment (NIST, 2019). Some additional responsibilities for this position include creating strategies for tracking and evaluating risk, compliance, and assurance operations; constructing specifications to harmonize risk, compliance, and assurance endeavors with security prerequisites; organizing and executing reviews of security authorization; and assessing interfaces for potential vulnerabilities (Barsolona, 2024).

One of the main benefits of having security control assessors working on a system is to get an independent, third-party review of the system. Having a different set of eyes outside of an organization reviewing the controls can lead to more discoveries being made for how the organization can improve their security posture.

References

NIST_800-12_Intro_Info_Sec.pdf, 03b. (2019). 03b – NIST_800-12_Intro_Info_Sec.pdf. Google Docs. https://drive.google.com/file/d/19gv8xgW48A40rHBosLyMF1SuUhAgfN9i/view

Security Control Assessor – DoD Cyber Exchange. (n.d.). Public.cyber.mil. https://public.cyber.mil/dcwf-work-role/security-control-assessor/

Makala Barsolona. (2024, January 22). The Evolving Role of a Security Assessor. Meditology Services. https://www.meditologyservices.com/the-evolving-role-of-a-security-assessor/