Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Assessment Cases - Download Page

The Assessment Cases available for download correspond with NIST Special Publication 800-53, Revision 3. The assessment cases were developed by an interagency working group that has disbanded. Assessment cases for consistency with SP 800-53A Rev 4 or newer will not be developed but the existing assessment cases may continue to be applied and also may be used as a model to extrapolate assessment cases for controls added or changed in NIST SP 800-53 Revision 4 or newer.

Cautionary Note: The assessment cases developed for this project are not the only acceptable assessment cases; rather, the cases represent one possible set of assessor actions for organizations (and assessors supporting those organizations) to use in helping to determine the effectiveness of the security controls employed within the information systems undergoing assessments.

Key to Download Assessment Case Files

There is a Microsoft (MS) Word file for each assessment case, and an assessment case for each security control identified below. For example, file name: SaP-800-53A-R1_ Assessment Case _ AC-02_ipd.docx is the Word file for assessment case for the Access Control family security control AC-2, which is named Account Management.

To make it easier to download these assessment cases, we created 19 separate zip files. There is a zip MS Word file for each security control family. All assessment case files for a particular family (e.g., Access Control, Maintenance, etc.) are within one zip file. For example, for the Access Control family, there are 22 MS Word documents inside the zip file, for the 22 separate assessment cases that are included in Access Control family. There are 18 separate families for these assessment cases. The tables below should help you figure out what family you need to download and/or what files to open within that particular family. The 19th zip file contains ALL of the assessment case files for all 18 families, which are separately zipped up in one zipped file.

Download All 18 Families

Download in Microsoft Word format in a single .ZIP file

After downloading the complete set of 18 families in one zipped file, once the file is unzipped, then you will find each family in its own separate zipped file - 18 zipped files total. Once a particular family zipped file is unzipped, then you will find multiple MS Word files - one for each Control Name for that particular family. Refer to tables below for guidance for titles of each control name.


Download the 22 Access Control Assessment Cases (Zipped Word files)

AC-1 Access Control Policy and Procedures
AC-2 Account Management
AC-3 Access Enforcement
AC-4 Information Flow Enforcement
AC-5 Separation of Duties
AC-6 Least Privilege
AC-7 Unsuccessful Login Attempts
AC-8 System Use Notification
AC-9 Previous Logon (Access) Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
AC-12 Session Termination
AC-13 Supervision and Review—Access Control
AC-14 Permitted Actions without Identification or Authentication
AC-15 Automated Marking
AC-16 Security Attributes
AC-17 Remote Access
AC-18 Wireless Access
AC-19 Access Control for Mobile Devices
AC-20 Use of External Information Systems
AC-21 User-Based Collaboration And Information Sharing
AC-22 Publicly Accessible Content

Download The 5 Awareness And Training Assessment Cases (Zipped Word File)

AT-1 Security Awareness and Training Policy and Procedures
AT-2 Security Awareness
AT-3 Security Training
AT-4 Security Training Records
AT-5 Contacts with Security Groups and Associations

Download The 14 Audit And Accountability Assessment Cases (Zipped Word File)

AU-1 Audit and Accountability Policy and Procedures
AU-2 Auditable Events
AU-3 Content of Audit Records
AU-4 Audit Storage Capacity
AU-5 Response to Audit Processing Failures
AU-6 Audit Review, Analysis, and Reporting
AU-7 Audit Reduction and Report Generation
AU-8 Time Stamps
AU-9 Protection of Audit Information
AU-10 Non-repudiation
AU-11 Audit Record Retention
AU-12 Audit Generation
AU-13 Monitoring and Disclosure
AU-14 Session Audit

Download The 7 Certification, Accreditation And Security Assessment Cases (Zipped Word Files)

CA-1 Security Assessment and Authorization Policies and Procedures
CA-2 Security Assessments
CA-3 Information System Connections
CA-4 Security Certification
CA-5 Plan of Action and Milestones
CA-6 Security Authorization
CA-7 Continuous Monitoring

Download The 9 Configuration Management Assessment Cases (Zipped Word File)

CM-1 Configuration Management Policy and Procedures
CM-2 Baseline Configuration
CM-3 Configuration Change Control
CM-4 Security Impact Analysis
CM-5 Access Restrictions for Change
CM-6 Configuration Settings
CM-7 Least Functionality
CM-8 Information System Component Inventory
CM-9 Configuration Management Plan

Download The 10 Contingency Planning Assessment Cases (Zipped Word File)

CP-1 Contingency Planning Policy and Procedures
CP-2 Contingency Plan
CP-3 Contingency Training
CP-4 Contingency Plan Testing and Exercises
CP-5 Contingency Plan Update
CP-6 Alternate Storage Site
CP-7 Alternate Processing Site
CP-8 Telecommunications Services
CP-9 Information System Backup
CP-10 Information System Recovery and Reconstitution

Download The 8 Identification And Authentication Assessment Cases (Zip Word File)

IA-1 Identification and Authentication Policy and Procedures
IA-2 User Identification and Authentication (Organizational Users)
IA-3 Device Identification and Authentication
IA-4 Identifier Management
IA-5 Authenticator Management
IA-6 Authenticator Feedback
IA-7 Cryptographic Module Authentication
IA-8 Identification and Authentication (Non-Organizational Users)

Download The 8 Incident Response Assessment Cases (Zipped Word File)

IR-1 Incident Response Policy and Procedures
IR-2 Incident Response Training
IR-3 Incident Response Testing and Exercises
IR-4 Incident Handling
IR-5 Incident Monitoring
IR-6 Incident Reporting
IR-7 Incident Response Assistance
IR-8 Incident Response Plan

Download The 6 Maintenance Assessment Cases (Zipped Word File)

MA-1 System Maintenance Policy and Procedures
MA-2 Controlled Maintenance
MA-3 Maintenance Tools
MA-4 Non-Local Maintenance
MA-5 Maintenance Personnel
MA-6 Timely Maintenance

Download The 6 Media Protection Assessment Cases(Zipped Word File)

MP-1 Media Protection Policy and Procedures
MP-2 Media Access
MP-3 Media Marking
MP-4 Media Storage
MP-5 Media Transport
MP-6 Media Sanitization

Download The 19 Physical And Environmental Protection Assessment Cases (Zipped Word File)

PE-1 Physical and Environmental Protection Policy and Procedures
PE-2 Physical Access Authorizations
PE-3 Physical Access Control
PE-4 Access Control for Transmission Medium
PE-5 Access Control for Output Devices
PE-6 Monitoring Physical Access
PE-7 Visitor Control
PE-8 Access Records
PE-9 Power Equipment and Power Cabling
PE-10 Emergency Shutoff
PE-11 Emergency Power
PE-12 Emergency Lighting
PE-13 Fire Protection
PE-14 Temperature and Humidity Controls
PE-15 Water Damage Protection
PE-16 Delivery and Removal
PE-17 Alternate Work Site
PE-18 Location of Information System Components
PE-19 Information Leakage

Download The 6 Planning Assessment Cases (Zipped Word File)

PL-1 Security Planning Policy and Procedures
PL-2 System Security Plan
PL-3 System Security Plan Update
PL-4 Rules of Behavior
PL-5 Privacy Impact Assessment
PL-6 Security-Related Activity Planning

Download The 11 Program Management Assessment Cases (Zipped Word File)

PM-1 Information Security Program Plan
PM-2 Senior Information Security Officer
PM-3 Information Security Resources
PM-4 Plan of Action and Milestones Process
PM-5 Information System Inventory
PM-6 Information Security Measures of Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorization Process
PM-11 Mission/Business Process Definition

Download The 8 Personnel Security Assessment Cases (Zipped Word File)

PS-1 Personnel Security Policy and Procedures
PS-2 Position Categorization
PS-3 Personnel Screening
PS-4 Personnel Termination
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-7 Third-Party Personnel Security
PS-8 Personnel Sanctions

Download The 5 Risk Assessment Cases (Zipped Word FIle)

RA-1 Risk Assessment Policy and Procedures
RA-2 Security Categorization
RA-3 Risk Assessment
RA-4 Risk Assessment Update
RA-5 Vulnerability Scanning

Download The 14 System And Services Acquisition Assessment Cases (Zipped Word File)

SA-1 System and Services Acquisition Policy and Procedures
SA-2 Allocation of Resources
SA-3 Life Cycle Support
SA-4 Acquisitions
SA-5 Information System Documentation
SA-6 Software Usage Restrictions
SA-7 User-Installed Software
SA-8 Security Engineering Principles
SA-9 External Information System Services
SA-10 Developer Configuration Management
SA-11 Developer Security Testing
SA-12 Supply Chain Protection
SA-13 Trustworthiness
SA-14 Critical Information System Components

Download The 34 System And Communications Protection Assessment Cases (Zipped Word File)

SC-1 System and Communications Protection Policy and Procedures
SC-2 Application Partitioning
SC-3 Security Function Isolation
SC-4 Information In Shared Resources
SC-5 Denial of Service Protection
SC-6 Resource Priority
SC-7 Boundary Protection
SC-8 Transmission Integrity
SC-9 Transmission Confidentiality
SC-10 Network Disconnect
SC-11 Trusted Path
SC-12 Cryptographic Key Establishment and Management
SC-13 Use of Cryptography
SC-14 Public Access Protections
SC-15 Collaborative Computing Devices
SC-16 Transmission of Security Attributes
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-19 Voice Over Internet Protocol
SC-20 Secure Name /Address Resolution Service (Authoritative Source)
SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver)
SC-22 Architecture and Provisioning for Name/Address Resolution Service
SC-23 Session Authenticity
SC-24 Fail in Known State
SC-25 Thin Nodes
SC-26 Honeypots
SC-27 Operating System-Independent Applications
SC-28 Protection of Information at Rest
SC-29 Heterogeneity
SC-30 Virtualization Techniques
SC-31 Covert Channel Analysis
SC-32 Information System Partitioning
SC-33 Transmission Preparation Integrity
SC-34 Non-Modifiable Executable Programs

Download The 13 System And Information Integrity Assessment Cases (Zipped Word File)

SI-1 System and Information Integrity Policy and Procedures
SI-2 Flaw Remediation
SI-3 Malicious Code Protection
SI-4 Information System Monitoring
SI-5 Security Alerts, Advisories and Directives
SI-6 Security Functionality Verification
SI-7 Software and Information Integrity
SI-8 Spam Protection
SI-9 Information Input Restrictions
SI-10 Information Input Validation
SI-11 Error Handling
SI-12 Information Output Handling and Retention
SI-13 Predictable Failure Prevention


Back to About the RMF

Created November 30, 2016, Updated July 18, 2024