Which standard outlines security controls and assessments for U.S. federal information systems?

The correct answer is based on NIST SP 800-53, which provides a comprehensive catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets. This standard specifically addresses the need for implementing safeguards and security measures tailored to the unique requirements of federal systems, ensuring that they meet the necessary compliance and risk management protocols.

NIST SP 800-53 is part of the broader NIST Special Publication series, which aids federal agencies in fulfilling their responsibilities under the Federal Information Security Modernization Act (FISMA). The publication emphasizes the importance of a risk management framework and comprehensive assessments to maintain adequate security postures across different information systems.

Other choices, while important in their own domains, do not focus specifically on this overarching set of security controls for federal systems. For instance, NIST SP 800-30 concentrates on risk management, while NIST SP 800-37 deals with the risk management framework itself. NIST SP 800-171, meanwhile, outlines specific security requirements tailored to protecting controlled unclassified information in non-federal systems but does not comprehensively cover all federal information systems like NIST SP 800-53 does.