National Institute for Standards and Technology Special Publication 800-53A
- Provides guidelines for constructing effective security assessment plans and procedures to enable the assessment of security controls utilized in information systems that support agencies in the federal government
- Describes the conceptual framework for the creation of specific procedures for assessing the security controls in NIST Special Publication 800-53
- Illustrates the components of an assessment framework
- Expands the process of deriving assessment procedures using the assessment framework.
- Describes the process of assessing the security controls in organizational information systems including building an effective assurance case
- Discusses the actions needed to prepare for a security assessment
- Directs the creation of effective security assessment plans
- Conveys the process of analyzing, documenting, and reporting security assessment results
- Communicates the importance of continuous examination of security controls for long-term protection
The National Institute of Standards and Technology Special Publication (NIST SP) 800-53A, titled, Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans, is a companion document providing guidance for assessing an organization´s compliance with NIST SP 800-53. One of the major design objectives for NIST Special Publication 800-53A is providing an assessment framework and initial starting point for assessment procedures that are essential for achieving consistency of assessments. The guidelines provided in NIST Special Publication 800-53A are appropriate to all federal information systems, except systems designated as national security systems as defined in 44 U.S.C., Section 3542. Security controls are restated in NIST Special Publication 800-53A for assessors´ accessibility, but are not replacements or revisions to the security controls in NIST Special Publication 800-53 which is the authoritative NIST recommendation for employing security controls in federal information systems.
|
