NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Automation Support for Control Assessments – Project Update and Vision

Published

Author(s)

Eduardo Takamura, Jeremy Licata, Victoria Yan Pillitteri

Abstract

In 2017, NIST published a methodology for supporting the automation of SP 800-53 control assessments in the form of IR 8011. IR 8011 is a multi-volume series that starts with an overview of the methodology (volume 1) and provides guidance and specifications for automating the assessment of controls that support specific information security continuous monitoring security capabilities, one volume per capability. Four volumes have been released so far, and more volumes are in development. In 2023, the NIST Risk Management Framework project — responsible for the development and maintenance of FISMA-supporting technical publications and the IR 8011 series — performed an internal review of the IR 8011 project. This review yielded results that offered the IR 8011 Development Team opportunities to improve the current IR 8011 methodology, facilitate its adoption, and more. This cybersecurity white paper summarizes some of the findings from this internal review.
Citation
OTHER - CSWP 30
Report Number
CSWP 30
NIST Pub Series
Other
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.CSWP.30
Local Download

Keywords

actual state, assessment, attack, automation, capability, community of interest, CoI, control, control assessment, control item, defect, defect check, defend, desired state specification, FISMA, information security continuous monitoring, ISCM, methodology, monitoring, ongoing assessment, privacy, risk, risk management, security, security automation.
Risk management, Information technology and Cybersecurity and privacy

Citation

Takamura, E. , Licata, J. and Pillitteri, V. (2023), Automation Support for Control Assessments – Project Update and Vision, OTHER, National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.CSWP.30, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=956740 (Accessed October 27, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created December 6, 2023
Was this page helpful?