NIST, Computer Security Division, Computer Security Resource Center
Security ASSESSMENT
NIST Special Publication 800-53A
Guide for Assessing the Security Controls in Federal Information Systems
The purpose of NIST Special Publication 800-53A is to establish common assessment procedures to assess the effectiveness of security controls in federal information systems, specifically those controls listed in NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems. The assessment methods and procedures are used to determine if the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the organization. Organizations use the recommended assessment procedures from NIST Special Publication 800-53A as the starting point for developing more specific assessment procedures, which may, in certain cases, be needed because of platform dependencies or other implementation-related considerations. The assessment procedures in Special Publication 800-53A can be supplemented by the organization, if needed, based on an organizational assessment of risk. Organizations must create additional assessment procedures for those security controls that are not contained in NIST Special Publication 800-53. The employment of standardized assessment procedures promotes more consistent, comparable, and repeatable security assessments of federal information systems.
Assessment Case Development Project
To provide assessors with additional tools and techniques for implementing the assessment procedures in Special Publication 800-53A, NIST initiated the Assessment Case Development Project in October 2007 in cooperation with the Departments of Justice, Energy, Transportation, and the Intelligence Community. The purpose of the project is threefold:
- Actively engage experienced assessors from multiple organizations in recommending assessment cases that describe specific assessor actions to implement the assessment procedures in NIST Special Publication 800-53A;
- Provide organizations and the assessors supporting those organizations with an exemplary set of assessment cases for each assessment procedure in NIST Special Publication 800-53A; and
- Provide a vehicle for ongoing community-wide review of and comment on the assessment cases to promote continuous improvement in the security control assessment process for more consistent, effective, and cost-effective security assessments of federal information systems.
The interagency task force developed a full suite of assessment cases based on the assessment procedures provided in NIST Special Publication 800-53A.