Analysis: NIST Risk Management Framework 800-53A Assessment Objectives
Sources:
- Organization: National Institute of Technology (NIST)
- Data Source: SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations
Summary baseline counts:
- LOW = 1,374 assessment objectives
- MODERATE - 1,890 assessment objectives
- HIGH = 2,165 assessment objectives
Recommendation: Focus on the Assessment Objectives to ensure the Security Controls are comprehensively implemented. The Assessment Objectives are the most granular pieces of the framework.
NIST Risk Management Framework (RMF) tasks relevant for Assessment Objective level focus:
- Step 2 - Select
- Task S-2: Control Tailoring
- Task S-3: Control Allocation
- Task S-4 Documentation of Planned Control Implementations
- Task S-5: Continuous Monitoring Plan
- Step 3 - Implement
- Task I-2: Update Control Implementation Information
- Step 4 - Assess
- Task A-2: Assessment Plan
- Task A-3: Control Assessment
- Task A-4: Assessment Reports
- Task A-5: Remediation Plans
- Task A-6: Plan of Action and Milestones
- Step 6 - Monitor
- Task M-2: Ongoing Assessments
- Task M-4: Authorization Package Updates
Link to the corresponding table chart - here.