U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Assess Step

At A Glance

RMF Assess Step

 

Purpose: Determine if the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect
to meeting the security and privacy requirements for the system and the organization.
 
Outcomes: 

  • assessor/assessment team selected
  • security and privacy assessment plans developed
  • assessment plans are reviewed and approved
  • control assessments conducted in accordance with assessment plans
  • security and privacy assessment reports developed
  • remediation actions to address deficiencies in controls are taken
  • security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
  • plan of action and milestones developed

 


Resources for Implementers


NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

  • Guidelines for building effective assessment plans, detailing the process for conducing control assessments, and a comprehensive set of procedures for assessing the effectiveness of the SP 800-53 controls.
  • The assessment procedures are used as a starting point for and as input to the assessment plan.

NISTIR 8011, Automation Support for Security Control Assessments: Multiple Volumes

  • A series of publications to support automated assessment of most of the security
    controls in NIST SP 800-53. Referencing SP 800-53A, the controls are
    divided into more granular parts (determination statements) to be assessed.
  • For effective automated assessment, testable defect checks are defined that bridge the determination statement to the broader security capabilities to be achieved and to the SP 800-53 security control items.
  • Automated assessments (in the form of
    defect checks) are performed using the test assessment method defined in SP 800-53A by
    comparing a desired and actual state (or behavior).

 


Back to About the RMF

Created November 30, 2016, Updated October 19, 2021