Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans



Ronald S. Ross, L A. Johnson


[Superseded by SP 800-53A Rev. 4 (December 2014):] Special Publication 800-53A, Revision 1 provides guidelines for developing security assessment plans and associated security control assessment procedures that are consistent with Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 (including updates as of 05-01-2010). NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The updated security assessment guideline incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies and includes security control assessment procedures for both national security and non national security systems. The guideline for developing security assessment plans is intended to support a wide variety of assessment activities in all phases of the system development life cycle including development, implementation, and operation. The important changes described in Special Publication 800-53A, Revision 1, are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management. The increased flexibility in the selection of assessment methods, assessment objects, and depth and coverage attribute values empowers organizations to place the appropriate emphasis on the assessment process at every stage in the system development life cycle. [Supersedes NIST SP 800-53A (July 2008):]
Special Publication (NIST SP) - 800-53A Rev 1
Report Number
800-53A Rev 1


assurance requirements, attributes, categorization, FISMA, NIST SP 800-53, risk management, security assessment plans, security controls


Ross, R. and Johnson, L. (2010), Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed July 21, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created June 29, 2010, Updated February 19, 2017