The National Institute of Standards and Technology (NIST) issued the final copy of its security and privacy control assessment procedures on Jan. 25.
The Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, has been updated from the draft SP, which NIST issued in August 2021 and gathered public feedback on.
The updated version provides organizations with a methodology for assessment procedures “to verify that the controls are implemented, meet stated control objectives, and achieve the desired security and privacy outcomes.”
“The SP 800-53A assessment procedures are flexible, provide a framework and starting point for control assessments, and can be tailored to the needs of organizations and assessors,” NIST said. “SP 800-53A facilitates security and privacy control assessments conducted within an effective risk management framework.”
The revision also includes a new assessment structure to better support automated tools, the efficiency of control assessments for assessors and organizations, and continuous monitoring and ongoing authorization programs.
NIST published the assessment procedures in multiple data formats, including comma-separated values (CSV), plain text, and Open Security Controls Assessment Language (OSCAL).