U.S. Department of Health and Human Services
The controls found in NIST SP 800-53 Rev. 3 can be used as part of a risk assessment or security test and evaluation.
The implementation (or planned implementation) of these controls should be documented in the SP.
IT Administrators may be responsible for testing the controls, or implementing controls after an external/independent reviewer finds weaknesses.
Page 2 of 5
Using Security Controls
How Controls are Implemented and Tested