Control
assessments are not about checklists, simple pass/fail results, or generating
paperwork to pass inspections or audits. The testing and evaluation of controls
in a system or organization to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the desired outcome
are critical to managing and measuring risk. Additionally, control assessment
results serve as an indication of the quality of the risk management processes,
help identify security and privacy strengths and weaknesses within systems, and
provide a road map to identifying, prioritizing, and correcting identified
deficiencies.
Draft NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems
and Organizations, provides organizations
with a flexible, scalable, and repeatable assessment methodology and assessment
procedures that correspond with the controls in NIST SP 800-53, Revision 5.
Like previous revisions of SP 800-53A, the generalized assessment procedures
provide a framework and starting point to assess the enhanced security
requirements and can be tailored to the needs of organizations and assessors.
The assessment procedures can be employed in self-assessments or independent
third-party assessments.
In
addition to the update of the assessment procedures to correspond with the
controls in SP 800-53, Revision 5, a new format for assessment procedures in
this revision to SP 800-53A is introduced to:
- Improve the efficiency of
conducting control assessments, - Provide better traceability
between assessment procedures and controls, and - Better support the use of
automated tools, continuous monitoring, and ongoing authorization
programs.
NIST
is seeking feedback on the assessment procedures in this publication and in
electronic versions (OSCAL, CSV, and plain text), including the assessment
objectives, determination statements, and potential assessment methods and
objects. We are also interested in the approach taken to incorporate
organization-defined parameters into the determination statements for the
assessment objectives. To facilitate their review and use by a broad range of
stakeholders, the assessment procedures are available for comment and use in
PDF format, as well as comma-separated value (CSV), plain text, and Open
Security Controls Assessment Language (OSCAL) formats.
The comment period is open through October 1, 2021. See
the publication
details for a copy of the draft and associated files, and
instructions for submitting comments. We encourage you to submit comments using
the comment template provided.
Please
submit inquiries to [email protected].