NIST readies guidance on IT security assessments

The National Institute of Standards and Technology has finished the third and possibly final draft of its revised guidelines for assessing the adequacy of IT security. Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, will be released for comment June 4.

NIST is charged under the Federal Information Security Management Act with developing standards and guidance for implementing IT security programs. SP 800-53 is part of a series of documents developed for selecting the proper level and types of IT security controls. The core of the series is Federal Information Processing Standard 200, which establishes minimum security requirements under FISMA. Once those requirements have been established, agencies select the appropriate set of controls from NIST SP 800-53, Recommended Security Controls for Federal Information Systems. SP 800-53A is an addendum that sets out the framework for conducting mandatory assessments of security controls required under FISMA.

Comments on previously released drafts have resulted in significant changes in the third draft version, according to NIST. Changes are expected to include a greater emphasis on two-factor authentication, trust relationships to assure adequate security controls at IT vendors and greater restrictions on remote access to sensitive data.

Comments on the current version will be accepted by the Computer Security Division of NIST's IT Laboratory through July 31. Comments can be e-mailed to [email protected] All of the FISMA-related security standards and guidelines can be found at

Final publication of SP 800-53A is expected early next year. NIST will decide on whether additional public drafts are needed based on comments received on the present draft.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected