Security Controls Review and Assessments

Topics: assessment, security review

PS-08-029.02 Security Controls Review and Assessments

Issue Date: 3/20/2008

Effective Date: 3/20/2008

Reviewed Date: 1/31/2022


Security controls reviews and assessments are important activities in the risk management process and an agency’s information security program.   Comprehensive security assessments reveal the extent to which controls are implemented correctly, operating as intended and meeting the required security levels as well as identify areas requiring supplemental controls.   Assessments are intended to provide management with complete and accurate information regarding the security status of the information systems for which they are responsible enabling them to make sound risk-based decisions regarding the operations of the information system.


Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency security policies, standards and requirements.


Independent Security Assessments (SS-08-042)

Information Security - Risk Management (PS-08-031)

Risk Management Framework (SS-08-041)


NIST SP 800-12  Introduction to Computer Security NIST Handbook (Assessment, Authorization, and Monitoring)

NIST SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations (