NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
- Guidelines for building effective assessment plans, detailing the process for conducing control assessments, and a comprehensive set of procedures for assessing the effectiveness of the SP 800-53 controls.
- The assessment procedures are used as a starting point for and as input to the assessment plan.
NISTIR 8011, Automation Support for Security Control Assessments: Multiple Volumes
- A series of publications to support automated assessment of most of the security
controls in NIST SP 800-53. Referencing SP 800-53A, the controls are
divided into more granular parts (determination statements) to be assessed.
- For effective automated assessment, testable defect checks are defined that bridge the determination statement to the broader security capabilities to be achieved and to the SP 800-53 security control items.
- Automated assessments (in the form of
defect checks) are performed using the test assessment method defined in SP 800-53A by
comparing a desired and actual state (or behavior).