On December 12, 2014, the National Institute for Standards and Technology (“NIST”) announced the release of Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (“SP 800-53A”). SP 800-53A is a companion guideline to Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (“SP 800-53”) and discusses how to build effective assessment plans and how to analyze and manage assessment results.

NIST’s announcement highlights SP 800-53A which contains significant changes to the 2010 version of the publication. SP 800-53A aims to provide an updated, more comprehensive set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. These procedures are customizable and designed to meet organization’s needs for flexibility in security control assessments and privacy control assessments.  These control assessments are designed to yield: (1) evidence about the effectiveness of implemented controls; (2) an indication of the quality of the risk management processes; and (3) information about the strengths and weaknesses of information systems. In addition, SP 800-53A is said to facilitate significant improvements in the efficiency and cost-effectiveness of control assessments for federal agencies, which are essential for implementation.  Among other notable changes, SP 800-53A introduces Appendix J, Privacy Assessment Procedures. Although Appendix J is currently under development and marked as a placeholder, it is expected to provide a complete set of assessment procedures for the privacy controls outlined in SP 800-53.  SP 800-53A is intended to serve individuals with information system development responsibilities; with information security assessment and monitoring responsibilities; information system, security, privacy, and risk management and oversight responsibilities; and information security implementation and operational responsibilities.