Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Assessing the Effectiveness of Security Controls in Federal Information Systems



Shirley M. Radack


This bulletin summarizes the information presented in NIST Special Publication (SP) 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans. The revised guide updates an earlier guide for assessing security controls, and describes the fundamental concepts associated with security control assessments. The publication covers the integration of assessments into the system development life cycle; the importance of an organization-wide strategy for conducting security control assessments; the development of assurance cases to help organizational officials determine the effectiveness of security controls and the overall security of the information system; and the format and content of assessment procedures. The guide details the process for assessing the security controls in organizational information systems and their environments of operation. The bulletin discusses the process for the selection and implementation of security controls, and the integration of security controls assessments into the risk management framework. The bulletin also provides links to publications that present additional information on security controls and the risk management framework.
ITL Bulletin -


assessment procedures, assurance cases, data availability, data confidentiality, data integrity, FISMA, information security, information systems security, risk assessment, risk management, security assessment plans, security controls, security controls assessments, system development life cycle


Radack, S. (2010), Assessing the Effectiveness of Security Controls in Federal Information Systems, ITL Bulletin, National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed July 14, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created August 23, 2010, Updated February 19, 2017