Doc:NIST SP 800-53Ar1 FPD

From FISMApedia
Jump to: navigation, search

Table of Contents

  • Chapter One Introduction
    • 1.1 Purpose And Applicability
    • 1.2 Target Audience
    • 1.3 Related Publications And Assessment Processes
    • 1.4 Organization Of This Special Publication
  • Chapter Two The Fundamentals
    • 2.1 Assessments Within The System Development Life Cycle
    • 2.2 Strategy For Conducting Security Control Assessments
    • 2.3 Building An Effective Assurance Case
    • 2.4 Assessment Procedures
  • Chapter Three The Process
    • 3.1 Preparing For Security Control Assessments
    • 3.2 Developing Security Assessment Plans
    • 3.3 Conducting Security Control Assessments
    • 3.4 Analyzing Security Assessment Report Results


“…Through the process of risk management, leaders must consider risk to U.S. interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations…”
“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…”
“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…”


Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits — rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments conducted within an effective risk management framework. The assessment results provide organizational officials with:

  • Evidence about the effectiveness of security controls in organizational information systems;
  • An indication of the quality of the risk management processes employed within the organization; and
  • Information about the strengths and weaknesses of information systems which are supporting organizational missions and business functions in a global environment of sophisticated and changing threats.

The findings produced by assessors are used to determine the overall effectiveness of the security controls associated with an information system (including system-specific, common, and hybrid controls) and to provide credible and meaningful inputs to the organization's risk management process. A well-executed assessment helps to: (i) determine the validity of the security controls contained in the security plan and subsequently employed in the information system and its environment of operation; and (ii) facilitate a cost-effective approach to correcting weaknesses or deficiencies in the system in an orderly and disciplined manner consistent with organizational mission/business needs.

Special Publication 800-53A is a companion guideline to Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations. Each publication provides guidance for implementing specific steps in the Risk Management Framework (RMF).[1] Special Publication 800-53 covers Step 2 in the RMF, security control selection (i.e., determining what security controls are needed to manage risks to organizational operations and assets, individuals, other organizations, and the Nation). Special Publication 800-53A covers RMF Step 4, security control assessment, and RMF Step 6, continuous monitoring, and provides guidance on the security assessment process. This guidance includes how to build effective security assessment plans and how to analyze and manage assessment results.

Special Publication 800-53A allows organizations to tailor and supplement the basic assessment procedures provided. The concepts of tailoring and supplementation used in this document are similar to the concepts described in Special Publication 800-53. Tailoring involves scoping the assessment procedures to more closely match the characteristics of the information system and its environment of operation. The tailoring process gives organizations the flexibility needed to avoid assessment approaches that are unnecessarily complex or costly while simultaneously meeting the assessment requirements established by applying the fundamental concepts in the RMF. Supplementation involves adding assessment procedures or assessment details to adequately meet the risk management needs of the organization (e.g., adding organization-specific details such as system/platform-specific information for selected security controls). Supplementation decisions are left to the discretion of the organization in order to maximize flexibility in developing security assessment plans when applying the results of risk assessments in determining the extent, rigor, and level of intensity of the assessments.

While flexibility continues to be an important factor in developing security assessment plans, consistency of assessments is also an important consideration. A major design objective for Special Publication 800-53A is to provide an assessment framework and initial starting point for assessment procedures that are essential for achieving such consistency. In addition to the assessment framework and initial starting point for assessment procedures, NIST initiated an Assessment Case Development Project.[2] The purpose of the project is threefold: (i) to actively engage experienced assessors from multiple organizations in the development of a representative set of assessment cases corresponding to the assessment procedures in Special Publication 800-53A; (ii) to provide organizations and the assessors supporting those organizations with an exemplary set of assessment cases for each assessment procedure in the catalog of procedures in this publication; and (iii) to provide a vehicle for ongoing community-wide review of and comment on the assessment cases to promote continuous improvement in the assessment process for more consistent, cost-effective security assessments of federal information systems. The Assessment Case Development Project is described in Appendix H.

In addition to the assessment case project supporting this publication, NIST also initiated the Security Content Automation Protocol (SCAP)[3] project that supports and complements the approach for achieving consistent, cost-effective security control assessments. The primary purpose of the SCAP is to improve the automated application, verification, and reporting of information technology product-specific security configuration settings, enabling organizations to identify and reduce the vulnerabilities associated with products that are not configured properly. As part of this initiative, an Open Checklist Interactive Language (OCIL)[4] provides the capability to express the determination statements in the assessment procedures in Appendix F in a framework that will establish interoperability with the validated tool sets supporting SCAP.

Cautionary Note

Organizations should carefully consider the potential impacts of employing the assessment procedures defined in this Special Publication when assessing the security controls in operational information systems. Certain assessment procedures, particularly those procedures that directly impact the operation of hardware, software, or firmware components of an information system, may inadvertently affect the routine processing, transmission, or storage of information supporting organizational missions or business functions. For example, a critical information system component may be taken offline for assessment purposes or a component may suffer a fault or failure during the assessment process. Organizations should also take necessary precautions during security assessment periods to ensure that organizational missions and business functions continue to be supported by the information system and that any potential impacts to operational effectiveness resulting from the assessment are considered in advance.


  1. 5 Special Publication 800-37 provides guidance on applying the RMF to federal information systems.
  2. 6 An assessment case represents a worked example of an assessment procedure that provides specific actions that an assessor might carry out during the assessment of a security control or control enhancement in an information system.
  3. 7 Special Publication 800-126 provides guidance on the technical specification of the SCAP. Additional details on the SCAP initiative, as well as freely available SCAP reference data, can be found at
  4. 8 OCIL is a framework for expressing security checks that cannot be evaluated without some human interaction or feedback. It is used to determine the state of a system by presenting one or more questionnaires to its intended users. The language includes constructs for questions, instructions for guiding users towards an answer, responses to questions, artifacts, and evaluation results.