NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Automation Support for Security Control Assessments, Volume 1: Overview

Published

Author(s)

Kelley L. Dempsey, Paul Eavy, George Moore

Abstract

This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed. The parts of the control assessed by each determination statement are called control items. The control items are then grouped into the appropriate security capabilities. As suggested by SP 800-53 Revision 4, security capabilities are groups of controls that support a common purpose. For effective automated assessment, testable defect checks are defined that bridge the determination statements to the broader security capabilities to be achieved and to the SP 800-53 security control items themselves. The defect checks correspond to security sub-capabilities -- called sub-capabilities because each is part of a larger capability. Capabilities and sub-capabilities are both designed with the purpose of addressing a series of attack steps. Automated assessments (in the form of defect checks) are performed using the test assessment method defined in SP 800-53A by comparing a desired and actual state (or behavior).
Citation
NIST Interagency/Internal Report (NISTIR) - 8011, Volume 1
Report Number
8011, Volume 1
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

DOI Link

Keywords

actual state, assessment, assessment boundary, assessment method, authorization boundary, automated security control assessment, automation, capability, continuous diagnostics and mitigation, information security continuous monitoring, dashboard, defect, defect check, desired state specification, ISCM dashboard, mitigation, ongoing assessment, root cause analysis, security automation, security capability, security control, security control assessment, security control item
Cybersecurity and privacy

Citation

Dempsey, K. , Eavy, P. and Moore, G. (2017), Automation Support for Security Control Assessments, Volume 1: Overview, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8011-1 (Accessed October 6, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created June 6, 2017, Updated November 10, 2018
Was this page helpful?