Hi All,
NIST recently published the NIST Interagency Report (IR) 8011, Automation Support for Security Control Assessments (https://csrc.nist.gov/publications/detail/nistir/8011/vol-1/final), which provides guidance on automating the assessment of controls that can be tested.
This series of technical publications, based on NIST Special Publication (SP) 800-53 controls and SP 800-53A control assessment procedures, is organized into multiple volumes, each dedicated to addressing a specific security capability (security capabilities are groups of controls that support a common purpose). Previously published volumes, which were based on SP 800-53, Revision 4, are being revised. New volumes covering additional security capabilities are being developed.
The NIST Risk Management Framework (RMF) team seeks feedback from individuals and organizations who have used our guidance to support automated security control assessments. We would like to understand better the use of the IR 8011 series by adopters, success stories, what adopters liked/disliked about the methodology and about the series overall, the challenges (if any) adopters faced during implementation, and how we can improve the entire series – from the proposed methodology to ways to facilitate its adoption.
Feedback can be sent via email to the following address: [email protected].
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA
------------------------------