U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Assess Step

At A Glance

RMF Assess Step


Purpose: Determine if the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect
to meeting the security and privacy requirements for the system and the organization.

  • assessor/assessment team selected
  • security and privacy assessment plans developed
  • assessment plans are reviewed and approved
  • control assessments conducted in accordance with assessment plans
  • security and privacy assessment reports developed
  • remediation actions to address deficiencies in controls are taken
  • security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
  • plan of action and milestones developed


Resources for Implementers

NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

  • Guidelines for building effective assessment plans, detailing the process for conducing control assessments, and a comprehensive set of procedures for assessing the effectiveness of the SP 800-53 controls.
  • The assessment procedures are used as a starting point for and as input to the assessment plan.

NISTIR 8011, Automation Support for Security Control Assessments: Multiple Volumes

  • A series of publications to support automated assessment of most of the security
    controls in NIST SP 800-53. Referencing SP 800-53A, the controls are
    divided into more granular parts (determination statements) to be assessed.
  • For effective automated assessment, testable defect checks are defined that bridge the determination statement to the broader security capabilities to be achieved and to the SP 800-53 security control items.
  • Automated assessments (in the form of
    defect checks) are performed using the test assessment method defined in SP 800-53A by
    comparing a desired and actual state (or behavior).


Back to About the RMF

Created November 30, 2016, Updated November 01, 2021