U.S. Department of Health and Human Services
Security control assessments determine the extent to which security controls are implemented correctly, operating as intended, and producing the desired outcome, with respect to meeting security requirements. NIST SP 800-53A Revision 1: Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans, is designed to establish a set of standardized assessment techniques and procedures for each security control listed in NIST SP 800-53 Revision 3.
For a new system, security controls are tested by way of an independent security controls assessment. Once a system is operational, a subset of its controls must be assessed, at least annually, in between independent security controls assessment efforts.
IT Administrators may participate in the annual internal assessment of a system’s controls or may be responsible for refining controls, if an independent reviewer finds weaknesses.
Page 6 of 9
Implementation & Assessment Phase
Security Controls Assessment