Assessment Methods and Procedures
_____________________________________

NIST Special Publication 800-53A
(Third Public Draft)
Guide for Assessing the Security Controls in Federal Information Systems

The purpose of NIST Special Publication 800-53A is to establish common methods and procedures to assess the effectiveness of security controls in federal information systems, specifically those controls listed in NIST Special Publication 800-53 Revision 1, Recommended Security Controls for Federal Information Systems.  The assessment methods and procedures are used to determine if the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the agency.  Agencies use the recommended assessment procedures from NIST Special Publication 800-53A as the starting point for developing more specific test and evaluation procedures, which may, in certain cases, be needed because of platform dependencies or other implementation-related considerations.  The assessment methods and procedures in Special Publication 800-53A can be supplemented by the agency, if needed, based on an organizational assessment of risk.  Agencies must create additional assessment procedures for those security controls that are not contained in NIST Special Publication 800-53.  The employment of standardized assessment methods and procedures promotes more consistent, comparable, and repeatable security assessments of federal information systems.