Tags: NIST, Draft SP 800-53A Revision 5, Comment Period, assessment objectives, determination statements, assessment methods, assessment objects
Control assessments are not
about checklists, simple pass/fail results, or generating paperwork to pass
inspections or audits. The testing and evaluation of controls in a system or
organization to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome are
critical to managing and measuring risk. Additionally, control assessment
results serve as an indication of the quality of the risk management processes,
help identify security and privacy strengths and weaknesses within systems, and
provide a road map to identifying, prioritizing, and correcting identified
deficiencies.
Draft NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy
Controls in Information Systems and Organizations, provides organizations with a flexible, scalable, and
repeatable assessment methodology and assessment procedures that correspond
with the controls in NIST SP 800-53, Revision 5. Like previous revisions of SP
800-53A, the generalized assessment procedures provide a framework and starting
point to assess the enhanced security requirements and can be tailored to the
needs of organizations and assessors. The assessment procedures can be employed
in self-assessments or independent third-party assessments.
In addition to the update of
the assessment procedures to correspond with the controls in SP 800-53,
Revision 5, a new format for assessment procedures in this revision to SP
800-53A is introduced to:
- Improve the efficiency
of conducting control assessments,
- Provide better
traceability between assessment procedures and controls, and
- Better support the use
of automated tools, continuous monitoring, and ongoing authorization
programs.
NIST is seeking feedback on the
assessment procedures in this publication and in electronic versions (OSCAL,
CSV, and plain text), including the assessment objectives, determination
statements, and potential assessment methods and objects. We are also
interested in the approach taken to incorporate organization-defined parameters
into the determination statements for the assessment objectives. To facilitate
their review and use by a broad range of stakeholders, the assessment
procedures are available for comment and use in PDF format, as well as comma-separated
value (CSV), plain text, and Open Security Controls Assessment Language (OSCAL)
formats.
The comment period is open through October 1, 2021. See the publication details for a copy of the
draft and associated files, and instructions for submitting comments. We
encourage you to submit comments using the comment template provided.
Please submit inquiries and
comments to sec-cert@nist.gov.
NOTE: A call for patent claims is included on page vii of
this draft. For additional information, see the Information Technology Laboratory
(ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Publication details:
https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/draft
ITL Patent Policy:
https://www.nist.gov/itl/publications-0/itl-patent-policy-inclusion-patents-itl-publications
