The National Institute of Standards and Technology (NIST) has released their finalized version of the Assessing Security and Privacy Controls in Information Systems and Organizations.
The final version of the Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations (SP 800-53A Revision 5), comes after an initial draft copy and the required comment period.
The NIST press release outlines several key updates and points related to the SP 800-53A Revision 5 outlined below:
The revision corresponds with the security and privacy controls in SP 800-53 Revision 5 and provides a methodology and set of assessment procedures to verify that the controls are implemented, meet stated control objectives and achieve the desired security and privacy outcomes
The revision includes new assessment procedures that address recently added and updated privacy and supply chain risk management controls in SP 800-53 Revision 5
The revision introduces a new structure for assessment procedures to better support the use of automated tools, improve the efficiency of control assessments for assessors and organizations and support continuous monitoring and ongoing authorization programs
SP 800-53A assessment procedures are flexible, provide a framework and starting point for control assessments and can be tailored to the needs of organizations and assessors
SP 800-53A facilitates security and privacy control assessments conducted within an effective risk management framework
This publication provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided with guidance on analyzing assessment results.
NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. NIST promotes their mission by developing special publications that are devoted to specific information security topics.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.