Non-Compliant Findings Reassessment and Validation

Non-Compliant Findings Reassessment and Validation: A Comprehensive Guide for CGRC Exam Preparation

Introduction

Non-compliant findings reassessment and validation is a critical phase in the security and privacy control assessment lifecycle. When an organization identifies controls that fail to meet compliance requirements during an initial assessment or audit, it must take corrective action and then verify that those actions have effectively remediated the deficiencies. This process of going back to re-evaluate previously non-compliant findings is what we refer to as reassessment and validation. For professionals preparing for the CGRC (Certified in Governance, Risk, and Compliance) exam, understanding this topic is essential because it bridges the gap between identifying problems and confirming that solutions actually work.

Why Non-Compliant Findings Reassessment and Validation Is Important

Non-compliant findings represent security gaps, vulnerabilities, or weaknesses in an organization's control environment. These findings, if left unaddressed or improperly remediated, can expose the organization to significant risks including data breaches, regulatory penalties, operational disruptions, and reputational damage. Here is why reassessment and validation matter:

1. Ensures Effective Remediation: Simply implementing a corrective action does not guarantee that the underlying issue has been resolved. Reassessment provides evidence-based verification that remediation efforts have actually closed the gap.

2. Supports Authorization Decisions: In frameworks like NIST's Risk Management Framework (RMF), the authorizing official (AO) relies on accurate and current assessment results to make informed risk-based decisions about system authorization. Reassessment of non-compliant findings provides the updated evidence needed for these decisions.

3. Maintains Continuous Monitoring: Reassessment is a key component of continuous monitoring strategies. It ensures that the organization's security posture is not just assessed once but is continuously validated and improved over time.

4. Regulatory and Compliance Obligations: Many regulatory frameworks (FISMA, HIPAA, PCI DSS, FedRAMP, etc.) require organizations to not only identify deficiencies but also to demonstrate that corrective actions have been taken and validated. Failure to do so can result in non-compliance with these mandates.

5. Risk Reduction: Unresolved or inadequately resolved findings represent residual risk. Reassessment helps quantify and reduce this residual risk to an acceptable level, ensuring the organization operates within its defined risk tolerance.

6. Accountability and Transparency: The reassessment process creates an auditable trail that demonstrates due diligence, accountability, and a commitment to continuous improvement in the organization's security and privacy programs.

What Is Non-Compliant Findings Reassessment and Validation?

Non-compliant findings reassessment and validation is the systematic process of re-evaluating security and privacy controls that were previously found to be deficient, ineffective, or non-compliant during an assessment or audit. This process occurs after the organization has implemented corrective actions or remediation measures in response to the original findings.

Key Definitions:

Non-Compliant Finding: A determination that a specific security or privacy control does not meet the established requirements, is not implemented correctly, is not operating as intended, or is not producing the desired outcome with respect to meeting the security or privacy requirements of the system or organization.

Reassessment: The act of re-evaluating a previously assessed control to determine whether remediation actions have been effective. This involves applying the same or similar assessment procedures that were used during the initial assessment.

Validation: The confirmation, through objective evidence, that the remediation measures have adequately addressed the identified deficiency and that the control now meets the specified requirements.

Context Within the NIST Risk Management Framework (RMF):

Within the RMF, reassessment and validation activities primarily occur during:
- Step 4 – Assess: When initial assessment identifies non-compliant findings, the organization develops a Plan of Action and Milestones (POA&M) to track remediation. Once remediation is complete, reassessment is conducted.
- Step 5 – Authorize: Updated assessment results from reassessment feed into the authorization package and inform the AO's risk-based authorization decision.
- Step 6 – Monitor: Ongoing reassessment of previously non-compliant findings is a core activity within the continuous monitoring phase to ensure sustained compliance and effectiveness.

How Non-Compliant Findings Reassessment and Validation Works

The reassessment and validation process follows a structured workflow that ensures thoroughness, objectivity, and documentation. Here is a step-by-step breakdown:

Step 1: Identification of Non-Compliant Findings
During the initial security or privacy control assessment, the assessor evaluates controls against established criteria (e.g., NIST SP 800-53 control requirements). Controls that do not satisfy the assessment criteria are documented as non-compliant findings in the Security Assessment Report (SAR). Each finding typically includes:
- The specific control or control enhancement that is non-compliant
- A description of the deficiency or weakness
- The potential risk or impact associated with the finding
- The assessment methods and evidence used to identify the finding

Step 2: Development of the Plan of Action and Milestones (POA&M)
Based on the SAR findings, the system owner or information system security officer (ISSO) develops a POA&M. The POA&M serves as a management tool that:
- Documents the specific findings requiring remediation
- Identifies the planned corrective actions for each finding
- Assigns responsible parties for remediation
- Establishes target completion dates and milestones
- Tracks the status of remediation efforts
- Identifies resources required for remediation
- Prioritizes findings based on risk severity

Step 3: Implementation of Corrective Actions
The responsible parties execute the corrective actions documented in the POA&M. These actions may include:
- Implementing new or enhanced security controls
- Updating configurations or system settings
- Revising policies, procedures, or documentation
- Deploying patches or software updates
- Providing additional training to personnel
- Acquiring and deploying new technologies
- Modifying architecture or network designs

Step 4: Reassessment Planning
Once corrective actions are reported as complete, the assessor (or assessment team) plans the reassessment. Key considerations include:
- Scope: The reassessment is typically focused only on the previously non-compliant controls and any controls that may have been affected by the remediation changes. It is not usually a full system reassessment.
- Assessment Methods: The assessor determines the appropriate assessment methods to use. NIST SP 800-53A defines four primary methods: examine (reviewing documentation, configurations, etc.), interview (speaking with relevant personnel), test (exercising mechanisms or activities), and observe (watching operational processes). The same methods used during the initial assessment are generally applied during reassessment to ensure consistency.
- Assessor Independence: Depending on organizational policy and the level of the system, the reassessment may need to be conducted by an independent assessor who was not involved in the remediation effort to ensure objectivity.
- Evidence Requirements: The assessor identifies what evidence will be needed to validate that the corrective actions are effective.

Step 5: Conducting the Reassessment
The assessor performs the reassessment using the planned methods. This involves:
- Reviewing updated documentation (policies, procedures, system security plans, etc.)
- Examining system configurations, settings, and implementations
- Interviewing personnel responsible for the control implementation and operation
- Testing the control's functionality and effectiveness
- Collecting and analyzing evidence to determine whether the corrective action has adequately addressed the original finding

Step 6: Validation and Documentation of Results
After conducting the reassessment, the assessor documents the results. Possible outcomes include:
- Finding Resolved/Compliant: The corrective action has successfully remediated the deficiency, and the control now meets the specified requirements. The POA&M entry is updated to reflect closure.
- Finding Partially Resolved: Some progress has been made, but the corrective action has not fully addressed the deficiency. The POA&M is updated with revised actions, milestones, and target dates.
- Finding Not Resolved: The corrective action was ineffective or was not properly implemented. The finding remains open, and the POA&M is updated with new or revised corrective actions.
- New Findings Identified: In some cases, the reassessment may reveal new deficiencies that were not present during the original assessment (possibly introduced by the remediation changes). These new findings are documented and added to the POA&M.

The reassessment results are typically documented in an updated SAR or an addendum to the original SAR.

Step 7: Updating the Authorization Package
The updated assessment results are incorporated into the authorization package, which includes the System Security Plan (SSP), SAR, and POA&M. This updated package is presented to the authorizing official for review and decision-making. The AO may:
- Issue or reaffirm an Authorization to Operate (ATO) if residual risk is acceptable
- Issue an ATO with conditions requiring further remediation within specified timeframes
- Deny authorization if residual risk remains unacceptable

Step 8: Ongoing Monitoring and Future Reassessments
Even after findings are closed, the controls continue to be monitored as part of the organization's continuous monitoring strategy. Controls that were previously non-compliant may be prioritized for more frequent assessment to ensure they remain effective over time.

Key Concepts and Principles to Remember

1. POA&M as a Living Document: The POA&M is not a one-time artifact. It is a living document that is continuously updated as findings are remediated, reassessed, and closed or revised.

2. Risk-Based Prioritization: Not all non-compliant findings carry the same level of risk. Organizations should prioritize reassessment based on the severity of the finding, the criticality of the affected system, and the potential impact to the organization.

3. Assessor Independence: For higher-impact systems, independent assessors (those not involved in the development, implementation, or operation of the system) should conduct the reassessment to ensure objectivity and credibility of results.

4. Scoping of Reassessment: Reassessment should be focused and targeted. It should cover the specific non-compliant controls, but it should also consider any secondary effects that remediation activities may have had on other controls (sometimes called regression assessment).

5. Evidence-Based Determination: Validation must be based on objective evidence, not simply on assurances from the remediation team that the fix was applied. The assessor must independently verify through examination, interview, testing, or observation.

6. Timeliness: Reassessment should be conducted in a timely manner after remediation is complete. Delays in reassessment extend the period during which the organization is exposed to the risk associated with the non-compliant finding.

7. Documentation: Thorough documentation at every stage is essential. This includes documenting the original finding, the planned corrective action, the actual corrective action taken, the reassessment procedures, the evidence collected, and the final determination.

8. Residual Risk Acceptance: In some cases, a finding may not be fully remediable due to technical, operational, or resource constraints. In these situations, the remaining risk (residual risk) must be clearly documented and formally accepted by the authorizing official or appropriate risk executive.

9. False Sense of Compliance: One of the dangers of inadequate reassessment is a false sense of compliance. If corrective actions are marked as complete without proper validation, the organization may believe it is compliant when it is not, leaving vulnerabilities unaddressed.

10. Relationship to Continuous Monitoring: Reassessment and validation feed into the broader continuous monitoring program. The results inform organizational risk posture and may trigger changes to the continuous monitoring strategy, including frequency adjustments for control assessments.

Exam Tips: Answering Questions on Non-Compliant Findings Reassessment and Validation

The CGRC exam tests your understanding of governance, risk, and compliance concepts, including the practical application of reassessment and validation processes. Here are targeted tips to help you answer questions on this topic effectively:

Tip 1: Know the RMF Steps and Where Reassessment Fits
Be clear about where reassessment activities occur within the NIST RMF. Reassessment is primarily associated with Step 4 (Assess) and Step 6 (Monitor). Questions may test your understanding of the sequencing of activities. Remember that reassessment occurs after corrective actions are implemented but before authorization decisions are updated.

Tip 2: Understand the Role of the POA&M
Many exam questions center on the POA&M as the tracking mechanism for non-compliant findings. Know that the POA&M documents findings, planned corrective actions, responsible parties, milestones, and target dates. It is updated throughout the remediation and reassessment lifecycle. If a question asks about how non-compliant findings are tracked and managed, the POA&M is almost always the correct answer.

Tip 3: Distinguish Between Assessment, Reassessment, and Continuous Monitoring
The exam may present scenarios that require you to differentiate between an initial assessment, a reassessment, and ongoing monitoring. An initial assessment evaluates all in-scope controls. A reassessment is targeted at previously non-compliant controls after remediation. Continuous monitoring is the ongoing program that includes periodic assessments, reassessments, and other monitoring activities.

Tip 4: Remember the Assessment Methods (Examine, Interview, Test)
NIST SP 800-53A defines the assessment methods. Questions may ask which method is most appropriate for validating a specific type of corrective action. For example, if a policy was updated, examine (reviewing the document) would be appropriate. If a technical fix was applied, test (exercising the mechanism) would be appropriate. If the issue was related to personnel practices, interview would be relevant.

Tip 5: Focus on Evidence-Based Validation
If a question presents a scenario where someone claims a finding is resolved but no evidence has been collected or verified, the correct answer will almost always emphasize the need for independent, evidence-based validation. Never accept self-attestation alone as sufficient evidence of remediation.

Tip 6: Know the Key Roles
Understand who is responsible for what in the reassessment process:
- System Owner: Responsible for ensuring corrective actions are implemented and for updating the POA&M
- ISSO (Information System Security Officer): Assists the system owner in managing the POA&M and coordinating reassessment activities
- Assessor/Assessment Team: Conducts the reassessment and provides independent validation
- Authorizing Official (AO): Reviews updated assessment results and makes risk-based authorization decisions
- Common Control Provider: Responsible for remediation and reassessment of common (inherited) controls

Tip 7: Watch for Tricky Answer Choices About Scope
Exam questions may try to trick you regarding the scope of reassessment. The reassessment should focus on the specific non-compliant controls, but it should also consider any controls that may have been affected by the changes made during remediation. It does not require a full system reassessment unless the changes were extensive enough to warrant one.

Tip 8: Understand Risk Acceptance
Some questions may present scenarios where complete remediation is not feasible. In these cases, know that residual risk must be formally documented and accepted by the authorizing official. The answer should reflect that risk acceptance is a valid option but requires proper documentation, formal acceptance by the appropriate authority, and potentially compensating controls.

Tip 9: Remember the Importance of Timeliness
If a question asks about when reassessment should occur, the answer should emphasize that it should be conducted promptly after remediation is complete. Unnecessary delays increase risk exposure. However, the reassessment should not occur before the corrective action is fully implemented, as premature reassessment may yield inaccurate results.

Tip 10: Consider the Bigger Picture
Many CGRC exam questions are scenario-based and test your ability to apply concepts in real-world situations. When answering questions about reassessment, consider the broader context: How does the reassessment result affect the authorization decision? How does it impact the organization's overall risk posture? How does it feed into the continuous monitoring program? Thinking holistically will help you select the best answer.

Tip 11: New Findings During Reassessment
Be prepared for questions about what happens when new findings are discovered during reassessment. The correct approach is to document these new findings, add them to the POA&M, assess their risk, and report them as part of the updated assessment results. They should not be ignored or deferred.

Tip 12: Understand the Difference Between Remediation and Mitigation
Remediation fully addresses and eliminates the deficiency. Mitigation reduces the risk associated with the deficiency without fully eliminating it (e.g., implementing compensating controls). Questions may test whether you understand this distinction, particularly in the context of reassessment outcomes.

Tip 13: Use Process of Elimination
For questions where you are unsure of the answer, eliminate choices that:
- Skip the reassessment step entirely (e.g., closing a POA&M item without validation)
- Rely solely on self-reporting without independent verification
- Suggest reassessing before remediation is complete
- Ignore the need for documentation
- Remove the authorizing official from the decision-making process

Summary

Non-compliant findings reassessment and validation is a fundamental component of the security and privacy control assessment process. It ensures that corrective actions taken in response to identified deficiencies are effective and that the organization's security posture is accurately represented in authorization decisions. For the CGRC exam, focus on understanding the lifecycle of a non-compliant finding from identification through remediation, reassessment, validation, and closure or continued tracking. Know the key roles, documents (SAR, POA&M, SSP), assessment methods, and the relationship between reassessment and the broader risk management and continuous monitoring programs. By mastering these concepts, you will be well-prepared to answer any exam question on this important topic.