NIST has released Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations. Updated to correspond with the security and privacy controls in SP 800-53 Revision 5, this publication provides a methodology and set of assessment procedures to verify that the controls are implemented, meet stated control objectives, and achieve the desired security and privacy outcomes.
The SP 800-53A assessment procedures are flexible, provide a framework and starting point for control assessments, and can be tailored to the needs of organizations and assessors. SP 800-53A facilitates security and privacy control assessments conducted within an effective risk management framework. The revision includes new assessment procedures that address newly added and updated privacy and supply chain risk management controls in SP 800-53 Revision 5. SP 800-53A also introduces a new structure for assessment procedures to better support the use of automated tools, improve the efficiency of control assessments for assessors and organizations, and support continuous monitoring and ongoing authorization programs.
To facilitate use, the assessment procedures are published in multiple data formats, including comma-separated values (CSV), plain text, and Open Security Controls Assessment Language (OSCAL). These are accessible on the publication details page and in the OSCAL Content Git Repository.
Direct questions and comments to sec-cert [at] nist.gov (sec-cert[at]nist[dot]gov).