NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
June 12, 2018

NIST 800-53 Security Assessment Process

NuHarbor Security

Are you shopping for a comprehensive security assessment, but want to know what you’re in for? In this post, we’ll break down the process using an example NIST 800-53 security assessment so you can determine whether you’re ready now or would benefit from a preparatory consulting engagement with NuHarbor. This guide will help you understand what to expect before, during, and after a security assessment, and the value a controls assessment can bring to your organization.

Ideally, organizations will have completed a formal risk assessment to understand threats and vulnerabilities to their environment and the information they protect before launching a controls assessment. Once the results of a risk assessment have been obtained, organizations can select controls from a framework (e.g., NIST 800-53) to help treat their risk, thereby making their information security (IS) program risk-informed. While our general recommendation is that organizations follow this model, this isn’t always the case due to time and resource constraints. Regardless, NuHarbor is prepared to guide any organization through this process.

Many organizations mistake an assessment for an audit and use the terms interchangeably, which can breed internal uncertainty and worry. NuHarbor begins every engagement by allaying those fears – we’re a true partner to the organizations we serve, and encourage client staff to be more relaxed. This helps us identify additional areas for improvement because employees are no longer concerned their jobs may be in jeopardy; they’re more interested in identifying and resolving shortcomings, rather than pointing blame or passing the buck. We’ve also found this approach fosters a culture of security mindedness, paying dividends to the organization in the future.

A NIST 800-53 security assessment usually takes place over a period of 4–6 weeks, depending on the size of the organization and the scope of the assessment. Our focus is on the mission-critical areas of an organization’s business.

A NIST 800-53 security assessment process can be described in several phases, commonly occurring one right after the other.

Security Assessment Phase 1: Document Review
(Approximately 1 week – remote)

Leading up to the start of the engagement, NuHarbor sends a document request list (DRL) detailing common IS program artifacts. IS documentation is generally comprised of policies, procedures, and standards that articulate the current security program and practices of the client. During this phase, clients exchange any available documentation and answer limited questions via phone or email.

Documentation review helps us understand the structure and components of an organization’s IS program and allows us to develop contextually relevant questions for phase two.

Security Assessment Phase 2: Staff Interviews and Assurance Testing
(Approximately 1-2 weeks – onsite or remote)

During this phase, we interview various client team members with roles that relate to NIST control families. Questions pertain to items from documentation review, clarifying local procedures, and how various controls are implemented. In addition to interviews, NuHarbor will conduct assurance testing of key controls, and gather additional artifacts that demonstrate implementation and effectiveness of controls.

Security Assessment Phase 3: Report delivery / and review
(Approximately 2-3 weeks – remote)

Following phases one and two, our analysts will review the security assessment output and develop:

  • A report that includes a 3–4-page executive overview describing identified control gaps, suggested improvements, and compliance dashboards at a high-level.
  • A detailed compliance spreadsheet which provides an assessment of each control to include implementation status, a priority level for remediation, and high-level notes about potential remedies or recommendations.

During this time, clarifying questions may be asked by email or phone.

Once the report and spreadsheet are delivered, organizations are asked to review over a defined period. At the end of this review period, NuHarbor usually hosts a teleconference to answer any questions or clarify information in the report. Following this meeting, final copies of the report and spreadsheet are released to the organization.

Many clients will present our report to their executive leadership team to demonstrate a bird’s-eye view of their organization’s security posture. Information Security Directors or other department managers may use the spreadsheet as a working document to track control-by-control implementation.

Significant benefits of a NuHarbor NIST 800-53 security assessment project include:

  • Increased understanding of how to use NIST 800-53 and select appropriate controls
  • Executive and organizational awareness of the overall security posture
  • Better understanding of the effectiveness of existing security control
  • Ability to correlate security controls and risks
  • General recommendations for major control gaps
  • Prioritization of remediation efforts to use as a starting point
  • Ability to communicate current control implementation to partners and customers

For more information, please visit our NIST 800-53 Compliance page.

For information on upcoming changes that may affect NIST 800-53 Security Assessments, check out our blog post: https://nuharborsecurity.com/nist-800-53-rev-5-draft/.

If you have additional questions or want to get started with a NIST 800-53 controls assessment, to contact us today!

Included Topics

  • Compliance,
  • Advisory and Planning,
  • Security Testing

Related Posts

Compliance 3 min read
HIPAA Risk Analysis vs. Gap Assessment: What’s the Difference? Read More
Compliance 5 min read
Physical Security Playbook Read More
Compliance 2 min read
The Difference Between a Controls Assessment and a Risk Assessment Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.