Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans



Ronald S. Ross


This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 4. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results. [Supersedes SP 800-53A Rev. 1 (June 2010):]
Special Publication (NIST SP) - 800-53A Rev 4
Report Number
800-53A Rev 4


Assessment, assurance, E-Government Act, FISMA, Privacy Act, privacy controls, privacy requirements, Risk Management Framework, security controls, security requirements.
Created December 11, 2014, Updated January 27, 2020