A new format for assessment procedures is introduced in this revision to Special Publication 800-53A. The format reflects the decomposition of assessment objectives into more granular determination statements wherever possible—thus providing the capability to identify and assess specific parts of security and privacy controls. The changes have been initiated to: (i) help improve the readability of assessment procedures; (ii) provide a better format and structure for automated tools when assessment information is imported into such tools; (iii) provide greater flexibility in conducting assessments by giving organizations the capability to target certain aspects of security controls and privacy controls (highlighting the particular weaknesses and/or deficiencies in controls); (iv) improve the efficiency of security and privacy assessments; and (v) support continuous monitoring and ongoing authorization programs by providing a greater number of component parts of security and privacy controls that can be assessed at organization-defined frequencies and degrees of rigor. Having the ability to apply assessment and monitoring resources in a targeted and precise manner and simultaneously maximize the use of automation technologies, can result in more timely and cost-effective assessment processes for organizations.

Note: Special Publication 800-53 will be updated accordingly to ensure that the numbering scheme for all security and privacy controls is consistent with the new format introduced in this publication.