Date Published: August 2021
Comments Due:
Email Questions to:
Planning Note (08/05/2021):
Replaced CSV file; added a "sort-order" column.
Author(s)
Joint Task Force
Announcement
Control assessments are not about checklists, simple pass/fail results, or generating paperwork to pass inspections or audits. The testing and evaluation of controls in a system or organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome are critical to managing and measuring risk. Additionally, control assessment results serve as an indication of the quality of the risk management processes, help identify security and privacy strengths and weaknesses within systems, and provide a road map to identifying, prioritizing, and correcting identified deficiencies.
Draft NIST Special Publication (SP) 800-53A, Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, provides organizations with a flexible, scalable, and repeatable assessment methodology and assessment procedures that correspond with the controls in NIST SP 800-53, Revision 5. Like previous revisions of SP 800-53A, the generalized assessment procedures provide a framework and starting point to assess the enhanced security requirements and can be tailored to the needs of organizations and assessors. The assessment procedures can be employed in self-assessments or independent third-party assessments.
In addition to the update of the assessment procedures to correspond with the controls in SP 800-53, Revision 5, a new format for assessment procedures in this revision to SP 800-53A is introduced to:
- Improve the efficiency of conducting control assessments,
- Provide better traceability between assessment procedures and controls, and
- Better support the use of automated tools, continuous monitoring, and ongoing authorization programs.
NIST is seeking feedback on the assessment procedures in this publication and in electronic versions (OSCAL, CSV, and plain text), including the assessment objectives, determination statements, and potential assessment methods and objects. We are also interested in the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives. To facilitate their review and use by a broad range of stakeholders, the assessment procedures are available for comment and use in PDF format, as well as comma-separated value (CSV), plain text, and Open Security Controls Assessment Language (OSCAL) formats.
The comment period is open through October 1, 2021. We encourage you to submit comments using the comment template provided.
Please submit inquiries to sec-cert@nist.gov.
NOTE: A call for patent claims is included on page vii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
This publication provides a set of procedures for conducting assessments of security and privacy controls employed within systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided along with guidance on analyzing assessment results.
This publication provides a set of procedures for conducting assessments of security and privacy controls employed within systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in...
See full abstract
This publication provides a set of procedures for conducting assessments of security and privacy controls employed within systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided along with guidance on analyzing assessment results.
Hide full abstract
Keywords
assessment; assessment plan; assurance; control assessment; FISMA; Privacy Act; privacy controls; privacy requirements; Risk Management Framework; security controls; security requirements
Control Families
None selected
