Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security Assessments: Tools for Measuring the Effectiveness of Security Controls



Shirley M. Radack


This bulletin summarizes information disseminated in NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, by Ron Ross, Arnold Johnson, Stu Katzke, and Patricia Toth of NIST, by Gary Stoneburner of the Johns Hopkins University Applied Physics Laboratory, and by George Rogers of BAE Systems. SP 800-53A is a companion guideline to NIST SP 800-53, Recommended Security Controls for Federal Information Systems. Both of these publications emphasize the use of security control assessments within an effective risk management framework. The bulletin covers the requirements for security controls under the Federal Information Security Management Act (FISMA) of 2002, and the Risk Management Framework, which was developed by NIST and which provides the structure for selecting and assessing security controls. The bulletin also summarizes the activities that NIST recommend organizations conduct to assess the effectiveness of their security controls.
ITL Bulletin -


FISMA, information systems security, information technology, risk management framework, security assessments, security controls, security plans, security threats, security vulnerabilities


Radack, S. (2008), Security Assessments: Tools for Measuring the Effectiveness of Security Controls, ITL Bulletin, National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed April 19, 2024)
Created August 21, 2008, Updated October 15, 2008