Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Assess Step

At A Glance

RMF Assess Step


Purpose: Determine if the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect
to meeting the security and privacy requirements for the system and the organization.

  • assessor/assessment team selected
  • security and privacy assessment plans developed
  • assessment plans are reviewed and approved
  • control assessments conducted in accordance with assessment plans
  • security and privacy assessment reports developed
  • remediation actions to address deficiencies in controls are taken
  • security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
  • plan of action and milestones developed


Resources for Implementers

NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

  • Guidelines for building effective assessment plans, detailing the process for conducing control assessments, and a comprehensive set of procedures for assessing the effectiveness of the SP 800-53 controls.
  • The assessment procedures are used as a starting point for and as input to the assessment plan.

NISTIR 8011, Automation Support for Security Control Assessments: Multiple Volumes

  • A series of publications to support automated assessment of most of the security
    controls in NIST SP 800-53. Referencing SP 800-53A, the controls are
    divided into more granular parts (determination statements) to be assessed.
  • For effective automated assessment, testable defect checks are defined that bridge the determination statement to the broader security capabilities to be achieved and to the SP 800-53 security control items.
  • Automated assessments (in the form of
    defect checks) are performed using the test assessment method defined in SP 800-53A by
    comparing a desired and actual state (or behavior).


Back to About the RMF

Created November 30, 2016, Updated July 18, 2024