A variety of compliance programs use NIST 800-53 as the baseline standard for security and privacy controls. An audit against this standard considers your risk management practices, including asset characterization and impact levels using FIPS 199 and FIPS 200; your risk assessment using NIST 800-53; and the controls you selected using NIST 800-53. The resulting audit report details your risk management program and the testing results for the operating effectiveness of controls.

Most government agencies have designed a compliance program to suit their needs (i.e., DFARS, MARS-E, CMMC). These programs utilize NIST Special Publication 800-53 as the baseline for security and privacy controls. Each agency publishes their own requirements for audit timeline and approach.

Pricing for a NIST 800-53 audit depends on scoping factors, including people, processes, technology, physical locations, third parties, and audit frequency. Pricing will also vary based on whether or not you’ve already completed a risk assessment and documented your System Security Plan (SSP).

The average NIST 800-53 audit can take anywhere from weeks to months, depending on your level of preparedness and staff’s availability for interviews and control demonstration. During the engagement, the auditor must validate scope, perform testing procedures, and document conclusions. These steps require time from your organization’s management, which can be compressed or extended to meet your timeline needs. You can save time by leveraging the Online Audit Manager to maintain the audit evidence you need for compliance.

The audit culminates in a report, written by our in-house Professional Writing team. The report will provide stakeholders with independent third-party verification regarding your organization’s risk management practices and the testing results of your security and privacy controls.

Most agencies will require annual evidence that your controls are in place and operating effectively. A report that is over 12 months old might result in a request for more recent results. Maintaining an audit process that covers each fiscal year will demonstrate a commitment to compliance and ongoing testing of controls, which ultimately contributes to the health of your organization.

Team members involved in a FISMA audit could come from anywhere in your organization, ranging from human resources to IT to compliance officers – anyone with the appropriate responsibilities for and knowledge of the matters concerned in the audit.

FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The levels are Low, Moderate, and HIGH. This informs the selection of appropriate controls using NIST 800-53.