The National Institute of Standards and Technology (NIST) is seeking comment on a draft special publication (SP) on assessing security and privacy controls.
Draft SP 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, aims to help organizations with flexible, scalable, and repeatable assessment methodology and assessment procedures that correspond with the controls in NIST SP 800-53, Revision 5.
“Like previous revisions of SP 800-53A, the generalized assessment procedures provide a framework and starting point to assess the enhanced security requirements and can be tailored to the needs of organizations and assessors,” the NIST notification said. “The assessment procedures can be employed in self-assessments or independent third-party assessments.”
NIST is seeking feedback on the assessment procedures in the publication and electronic versions. Additionally, the agency is interested in the “approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives.”
In addition to providing an update of the assessment procedures to correspond with the controls in NIST SP 800-53, Revision 5, a new format for assessment procedures is being introduced to accomplish the following:
- Improving efficiency of conducting control assessments;
- Providing better traceability between assessment procedures and controls; and
- Providing better support for the use of automated tools, continuous monitoring, and ongoing authorization programs.
“The testing and evaluation of controls in a system or organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome are critical to managing and measuring risk,” the notification said.
The comment period for the Draft SP is open through Oct. 1, 2021.