Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans



Ronald S. Ross, L A. Johnson, Stuart W. Katzke, Patricia R. Toth, G. Stoneburner, G Rogers


[Superseded by NIST SP 800-53A, Rev. 1 (June 2010):] The purpose of NIST Special Publication 800-53A is to provide guidelines for building effective security assessment plans and procedures to enable the assessment of security controls employed in information systems supporting the executive agencies of the federal government. Organizations should use this publication in conjunction with an approved system security plan to create a viable security assessment plan for producing and compiling the information necessary to determine the effectiveness of the security controls employed within the information system. The assessment procedures should be used as a starting point for and as input to the security assessment. SP800-53A guidelines are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems. This publication is intended to serve a diverse group of information system and information security professionals, including individuals with information system and security management and oversight responsibilities, integration responsibilities, operational responsibilities, and security assessment and monitoring responsibilities.
Special Publication (NIST SP) - 800-53A
Report Number


categorization, FISMA, penetration testing, risk management, security assessment plans, security controls


Ross, R. , Johnson, L. , Katzke, S. , Toth, P. , Stoneburner, G. and Rogers, G. (2008), Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD (Accessed July 21, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created July 1, 2008, Updated February 19, 2017