NIST SP 800-53A Front Matter
|NIST Special Publication 800-53A||Guide for Assessing the Security Controls in Federal Information Systems|
|Building Effective Security Assessment Plans|
|I N F O R M A T I O N||S E C U R I T Y|
|Computer Security Division|
|Information Technology Laboratory|
|National Institute of Standards and Technology|
|Gaithersburg, MD 20899-8930|
|U.S. Department of Commerce|
|Carlos M. Gutierrez, Secretary|
|National Institute of Standards and Technology|
|James M. Turner, Deputy Director|
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL's research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.
This document has been developed by the National Institute of Standards and Technology (NIST) to further its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, P.L. 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.
This guideline has been prepared for use by federal agencies. However, it may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.)
Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
|Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.|
Compliance with NIST Standards and Guidelines
NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act (FISMA) of 2002 and in managing cost-effective programs to protect their information and information systems.
- Federal Information Processing Standards (FIPS) are developed by NIST in accordance with FISMA. FIPS are approved by the Secretary of Commerce and are compulsory and binding for federal agencies. Since FISMA requires that federal agencies comply with these standards, agencies may not waive their use.
- Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800-series. Office of Management and Budget (OMB) policies (including OMB FISMA Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management) state that for other than national security programs and systems, agencies must follow NIST guidance.1 
- Other security-related publications, including interagency and internal reports (NISTIRs) and ITL Bulletins, provide technical and other information about NIST's activities. These publications are mandatory only when so specified by OMB.
- For legacy information systems, agencies are expected to be in compliance with NIST security standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST.2 
- For information systems under development, agencies are expected to be in compliance with NIST security standards and guidelines immediately upon deployment of the system.
The authors, Ron Ross, Arnold Johnson, Stu Katzke, Patricia Toth, Gary Stoneburner, and George Rogers, wish to thank their colleagues who reviewed drafts of this document and contributed to its development. A special note of thanks is also extended to Peggy Himes and Elizabeth Lennon for their superb technical editing and administrative support. The authors also gratefully acknowledge and appreciate the many contributions from individuals in the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication.
A special acknowledgement is also given to the participants in the Assessment Case Development Project (described in Appendix J of this publication) who have put forth significant effort in helping to develop a representative set of assessment cases for the assessment procedures in NIST Special Publication 800-53A. These individuals include: Lynn Henderson, Sue Acosta, Peter Crichlow, Ryan Higgins, Ed Siewick, and John Wyatt (Department of Justice); Ed Lewis and Lucas Samaras (Department of Energy); Waylon Krush (Department of Transportation); Steven Rodrigo, Troy McCoy, and Clifford Arms (Office of the Director of National Intelligence); Bennett Hodge (Booz Allen Hamilton); and Gary Stoneburner (Johns Hopkins University Applied Physics Laboratory).
FEDERAL INFORMATION SECURITY MANAGEMENT ACT
|IMPLEMENTING SECURITY STANDARDS AND GUIDELINES|
|FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory, non-waiverable standard developed in response to the Federal Information Security Management Act of 2002. To comply with the federal standard, agencies must first determine the security category of their information system in accordance with the provisions of FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and then apply the appropriate set of baseline security controls in NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems. Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53. This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments.|
|The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all federal information and information systems. The agency's risk assessment validates the security control set and determines if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors.|
|In addition to the security requirements established by FISMA, there may also be specific security requirements in different business areas within agencies that are governed by other laws, Executive Orders, directives, policies, regulations, or associated governing documents, (e.g., the Health Insurance Portability and Accountability Act of 1996, the Federal Financial Management Improvement Act of 1996, or OMB Circular A-127 on Financial Management Systems). These requirements may not be equivalent to the security requirements and implementing security controls required by FISMA or may enhance or further refine the security requirements and security controls. It is important that agency officials (including authorizing officials, chief information officers, senior agency information security officers, information system owners, information system security officers, and acquisition authorities) take steps to ensure that: (i) all appropriate security requirements are addressed in agency acquisitions of information systems and information system services; and (ii) all required security controls are implemented in agency information systems. See http://csrc.nist.gov/sec-cert/ca-compliance.html for additional information on FISMA compliance.|
DEVELOPING COMMON INFORMATION SECURITY FOUNDATIONS
|COLLABORATION AMONG PUBLIC AND PRIVATE SECTOR ENTITIES|
|In developing standards and guidelines required by the Federal Information Security Management Act (FISMA), NIST consults with other federal agencies and offices as well as the private sector to improve information security, avoid unnecessary and costly duplication of effort, and ensure that NIST standards and guidelines are complementary with standards and guidelines employed for the protection of national security systems. In addition to its comprehensive public review and vetting process, NIST is working with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to establish a common foundation for information security across the federal government. The common foundation for information security will provide the Intelligence, Defense, and Civil sectors of the federal government and their support contractors, more uniform and consistent ways to manage the risk to organizational operations, organizational assets, individuals, other organizations, and the Nation that results from the operation and use of information systems. In another collaboration initiative, NIST is working with public and private sector entities to establish specific mappings and relationships between the security standards and guidelines developed by NIST and the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001, Information Security Management System (ISMS).|
Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, is written to facilitate security control assessments conducted within an effective risk management framework. The assessment results provide organizational officials:
- Evidence about the effectiveness of security controls in organizational information systems;
- An indication of the quality of the risk management processes employed within the organization; and
- Information about the strengths and weaknesses of information systems which are supporting critical federal missions and applications in a global environment of sophisticated threats.
The findings produced by assessors are used primarily in determining the overall effectiveness of the security controls in an information system and in providing credible and meaningful inputs to the organization's security accreditation (information system authorization) process. A well- executed assessment helps to determine the validity of the security controls contained in the security plan (and subsequently employed in the information system) and to facilitate a cost- effective approach to correcting any deficiencies in the system in an orderly and disciplined manner consistent with the organization's mission/business requirements.
NIST Special Publication 800-53A is a companion guideline to NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. Each publication provides guidance for implementing the steps in the NIST Risk Management Framework.3  NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection (i.e., determining what security controls are needed to protect organizational operations and assets, individuals, other organizations, and the Nation) in accordance with the security requirements in FIPS 200.4  This includes: (i) selecting an initial set of baseline security controls based on a FIPS 199 worst-case, impact analysis;5  (ii) tailoring the baseline security controls; and (iii) supplementing the security controls, as necessary, based on an organizational assessment of risk. NIST Special Publication 800-53A covers both the security control assessment and continuous monitoring steps in the Risk Management Framework and provides guidance on the security assessment process. This guidance includes how to build effective security assessment plans and how to manage assessment results.
NIST Special Publication 800-53A has been developed with the intention of enabling organizations to tailor and supplement the basic assessment procedures provided. The concepts of tailoring and supplementation used in this document are similar to the concepts described in NIST Special Publication 800-53. Tailoring involves scoping the assessment procedures to match the characteristics of the information system under assessment. The tailoring process provides organizations with the flexibility needed to avoid assessment approaches that are unnecessarily extensive or more rigorous than necessary. Supplementation involves adding assessment procedures or assessment details to adequately meet the organization's risk management needs (e.g., adding assessment objectives or adding organization-specific details such as system/platform-specific information for selected security controls). Supplementation decisions are left to the discretion of the organization in order to maximize flexibility in developing security assessment plans when applying the results of risk assessments in determining the extent, rigor, and level of intensity of the assessments.
While flexibility continues to be an important factor in developing security assessment plans, consistency of assessments is also an important consideration. A major design objective for NIST Special Publication 800-53A is to provide an assessment framework and initial starting point for assessment procedures that are essential for achieving such consistency. In addition to the assessment framework and initial starting point for assessment procedures, NIST initiated an Assessment Case Development Project.6  The purpose of the project is threefold: (i) to actively engage experienced assessors from multiple organizations in the development of a representative set of assessment cases corresponding to the assessment procedures in NIST Special Publication 800-53A; (ii) to provide organizations and the assessors supporting those organizations with an exemplary set of assessment cases for each assessment procedure in the catalog of procedures in this publication; and (iii) to provide a vehicle for ongoing community-wide review of and comment on the assessment cases to promote continuous improvement in the assessment process for more consistent, cost-effective security assessments of federal information systems. The Assessment Case Development Project is described in Appendix J.
In addition to the above project, NIST also initiated the Information Security Automation Program (ISAP) and Security Content Automation Protocol (SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments outlined in this publication. The primary purpose of the ISAP/SCAP is to improve the automated application, verification, and reporting of commercial information technology product-specific security configuration settings, thereby reducing vulnerabilities when products are not configured properly. The ultimate objective is to achieve a direct linkage, where appropriate, of the assessment procedures found in NIST Special Publication 800-53A to the SCAP automated testing of information system mechanisms and associated security configuration settings.7 
Finally, it should be noted that for environments with credible threat information indicating sophisticated, well-resourced threat agents and possible attacks against high-value targets, additional assurances may be required. NIST Special Publication 800-53 indicates the need for explicit risk acceptance or additional assurances for moderate-impact and high-impact information systems whenever the organization is relying on one or more security controls to mitigate risks from more capable threat sources. In a similar manner, NIST Special Publication 800-53A recognizes that, for such controls, additional organizationally-derived assessment activities will likely be required. These additional assessment activities will include the assessment objectives associated with verifying the Additional Requirements Enhancing Moderate-impact and High-impact Information Systems in Appendix E of NIST Special Publication 800-53—that is, the security controls in the information system are developed in a manner that supports a high degree of confidence the controls are complete, consistent, and correct, resulting in a greater degree of trustworthiness and penetration resistance of the system.
|Organizations should carefully consider the potential impacts of employing the procedures defined in this Special Publication when assessing the security controls in operational information systems. Certain assessment procedures, particularly those procedures that directly impact the operation of hardware, software, and/or firmware components of an information system, may inadvertently affect the routine processing, transmission, or storage of information supporting critical organizational missions or business functions. For example, a key information system component may be taken offline for assessment purposes or a component may suffer a fault or failure during the assessment process. Organizations should take necessary precautions during security control assessment periods to ensure that organizational missions and business functions continue to be supported by the information system and that only approved impacts to operational effectiveness are caused by the assessment. Security controls from NIST Special Publication 800-53 (as amended) have been restated in NIST Special Publication 800-53A for ease of reference by assessors in specifying assessment procedures for conducting assessments of security controls and should not be viewed as replacing or revising the security controls in Special Publication 800-53, which remains the definitive NIST recommendation for employing security controls in federal information systems. Unless otherwise stated, all references to NIST publications in this document (i.e., Federal Information Processing Standards and Special Publications) are to the most recent version of the referenced publication.|
- While agencies are required to follow NIST guidance in accordance with OMB policy, there is flexibility within NIST's guidance in how agencies apply the guidance. Unless otherwise specified by OMB, the 800-series guidance documents published by NIST generally allow agencies some latitude in their application. Consequently, the application of NIST guidance by agencies can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB definition of adequate security for federal information systems. When assessing agency compliance with NIST guidance, auditors, inspectors general, evaluators, and/or assessors should consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions.
- The one-year compliance date for revisions to NIST Special Publications applies only to the new and/or updated material in the publications resulting from the periodic revision process. Agencies are expected to be in compliance with previous versions of NIST Special Publications within one year of the publication date of the previous versions.
- The Risk Management Framework is described in NIST Special Publication 800-39 and consists of a six-step process to ensure the development and implementation of comprehensive information security programs for organizations.
- FIPS 200, Minimum Security Requirements for Federal Information and Information Systems.
- FIPS 199, Standards for Security Categorization of Federal Information and Information Systems.
- An assessment case represents a worked example of an assessment procedure that provides specific actions that an assessor might carry out during the assessment of a security control or control enhancement in an information system.
- Additional details on the ISAP/SCAP initiative, as well as freely available SCAP reference data, can be found at the NIST website at http://nvd.nist.gov.