Before you start to design a self-assessment survey, check to see if your agency has a self-assessment template that already exists that they would like you to use. Since you re probably under a deadline, don t recreate a brand-new self-assessment survey if a pretty good one already exists at your agency. Also, it may be against the agency security policies to use a survey that is different than the one they provide. If your agency does not have a self-assessment survey template, you will need to develop one before you can answer the questions. Special Publication 800-26 contains a fairly comprehensive sample survey and it s a great starting point for developing one for your Certification Package. You ll likely want to modify the survey you find in Special Publication 800-26 to make it more apropos to the objectives of your agency and information system.

Special Publication 800-26 recommends that your survey be designed for five levels of compliance. However, since almost every C&A program includes four levels of compliance, from a practical standpoint, it makes more sense to build four levels of compliance into your survey. The recommendation for five levels of compliance originated from a document published on November 28, 2000 known as the Federal Information Technology Security Assessment Framework (FITSAF). ^[1] Since most C&A programs have only four levels of compliance, it is possible that if the FITSAF had been published after FISMA was passed, it may have included only four levels of compliance.