The IT Law Wiki


Security assurance is

[t]he written confirmation requested by, and exchanged between governments, of the security clearance level or eligibility for clearance of their employees, contractors, and citizens. It includes a statement by a responsible official of a foreign government that the original recipient of United States (U.S.) classified information possesses the requisite security clearance, is approved by his or her government for access to information of the security classification involved on behalf of the foreign government, and that the recipient will comply with any security requirements specified by the U.S. In the case of contractors, security assurance includes a statement concerning the level of storage capability.[1]


Security assurance is a critical aspect in determining the trustworthiness of information systems. Security assurance is the measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.

Security assurance can be obtained by: (i) the actions taken by developers and implementers of security controls with regard to the design, development, implementation, and operation of those controls; and (ii) the actions taken by assessors to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information systems and supporting infrastructure.

Developers and implementers can increase the assurance in security controls by employing well-defined security policy models, structured, disciplined, and rigorous hardware and software development techniques, and sound system/security engineering principles. Assurance is also based on the assessment of evidence produced during the initiation, acquisition/development, implementation, and operations/maintenance phases of the SDLC. For example, developmental evidence may include the techniques and methods used to design and develop security functionality. Operational evidence may include flaw reporting and remediation, the results of security incident reporting, and the results of ongoing monitoring of security controls. Independent assessments by qualified assessors may include analyses of the evidence as well as testing, inspections, and audits.