This is for discussion of NIST’s final release of SP 800-53A Rev. 5, Assessing Security and Privacy Controls in Info Sys and Orgs | CSRC
Some highlights and guidelines:
- An executive summary that reorients the traditional thinking and approach to security and privacy control.
- Fundamentals for assessing the structure and organization infrastructure
- Processes for preparing, developing, conducting, and analyzing security and privacy control assessments
- Procedures for security and privacy assessment
Is there anything in NIST’s paper that surprised you?
Was a procedure or best practice defined correctly by NIST?
Will you change anything about you or your org’s security and privacy control assessments as a result of reading this paper?
Discuss here!
