Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Automation Support for Control Assessments – Project Update and Vision



Eduardo Takamura, Jeremy Licata, Victoria Yan Pillitteri


In 2017, NIST published a methodology for supporting the automation of SP 800-53 control assessments in the form of IR 8011. IR 8011 is a multi-volume series that starts with an overview of the methodology (volume 1) and provides guidance and specifications for automating the assessment of controls that support specific information security continuous monitoring security capabilities, one volume per capability. Four volumes have been released so far, and more volumes are in development. In 2023, the NIST Risk Management Framework project — responsible for the development and maintenance of FISMA-supporting technical publications and the IR 8011 series — performed an internal review of the IR 8011 project. This review yielded results that offered the IR 8011 Development Team opportunities to improve the current IR 8011 methodology, facilitate its adoption, and more. This cybersecurity white paper summarizes some of the findings from this internal review.
Report Number


actual state, assessment, attack, automation, capability, community of interest, CoI, control, control assessment, control item, defect, defect check, defend, desired state specification, FISMA, information security continuous monitoring, ISCM, methodology, monitoring, ongoing assessment, privacy, risk, risk management, security, security automation.


Takamura, E. , Licata, J. and Pillitteri, V. (2023), Automation Support for Control Assessments – Project Update and Vision, OTHER, National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed February 24, 2024)
Created December 6, 2023