Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Assessing Security and Privacy Controls in Information Systems and Organizations



Victoria Yan Pillitteri


This publication provides a set of procedures for conducting assessments of security and privacy controls employed within systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided along with guidance on analyzing assessment results. [Supersedes SP 800-53A Rev. 4 (PubID 917644)]
Special Publication (NIST SP) - 800-53A Rev. 5
Report Number
800-53A Rev. 5


Assessment, assessment plan, assurance, control assessment, FISMA, Privacy Act, privacy controls, Open Security Controls Assessment Language, OSCAL, privacy requirements, Risk Management Framework, security controls, security requirements.


Pillitteri, V. (2022), Assessing Security and Privacy Controls in Information Systems and Organizations, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed July 24, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created January 25, 2022, Updated November 29, 2022