The IT Law Wiki


An assessment object(s)

[is] the item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.[1]
identify the specific items being assessed, and as such, can have one or more security defects. Assessment objects include specifications, mechanisms, activities, and individuals which in turn may include, but are not limited to, devices, software products, software executables, credentials, accounts, account-privileges, things to which privileges are granted (including data and physical facilities), etc.[2]


  1. CNSSI 4009, at 7.
  2. NISTIR 8011, Vol. 1, at B-6.