NIST SP 800-53
Compensating controls
(_____) are alternative security controls employed by organizations in lieu of specific controls in the low, moderate, or high baselines described in Appendix D—controls that provide equivalent or comparable protection for organizational information systems and the information processed, stored, or transmitted by those systems.
Trust
(_______) is the belief that an entity will behave in a predictable manner while performing specific functions, in specific environments, and under specified conditions or circumstances. The entity may be a person, process, information system, system component, system-of-systems, or any combination thereof.
Tier 2, Mission /Business Process
(i) defining the mission/business processes needed to support the organizational missions/business functions; (ii) determining the security categories of the information systems needed to execute the mission/business processes; (iii) incorporating information security requirements into the mission/business processes; and (iv) establishing an enterprise architecture (including an embedded information security architecture) to facilitate the allocation of security controls to organizational information systems and the environments in which those systems operate.
Baseline tailoring actions include:
(i) identifying and designating common controls; (ii) applying scoping considerations; (iii) selecting compensating controls; (iv) assigning specific values to security control parameters; (v) supplementing initial baselines with additional security controls or control enhancements; and (vi) providing additional information for control implementation.
There are three distinct types of designations related to the security controls in Appendix F that define:
(i) the scope of applicability for the control; (ii) the shared nature of the control; and (iii) the responsibility for control development, implementation, assessment, and authorization. These designations include common controls, system-specific controls, and hybrid controls.
The priority and security control baseline allocation section provides
: (i) the recommended priority codes used for sequencing decisions during security control implementation; and (ii) the initial allocation of security controls and control enhancements to the baselines.
Security Control Identifier "AC"
Access Control
Security Control Identifier "AU"
Audit and Accountability
Security Control Identifier "AT"
Awareness and Training
Security Control Identifier "CM"
Configuration Management
Security Control Identifier "CP"
Contingency Planning
Tailoring Guidance
Described in Section 3.2 of NIST SP 800-53, (______) helps organizations to customize the security control baselines selected using the results from organizational assessments of risk. actions include: (i) identifying and designating common controls; (ii) applying scoping considerations; (iii) selecting compensating controls; (iv) assigning specific values to security control parameters; (v) supplementing initial baselines with additional security controls or control enhancements; and (vi) providing additional information for control implementation.
Security Control Identifier "IA"
Identification and Authentication
Security Control Identifier "IR"
Incident Response
Security Control Identifier "MA"
Maintenance
Security Control Identifier "MP"
Media Protection
NIST SP 800-53 Appendix F
Of the eighteen security control families in NIST Special Publication 800-53, Where are the seventeen families described in the security control catalog and are closely aligned with the seventeen minimum security requirements for federal information and information systems in FIPS Publication 200.
NIST SP 800-39
Organizations can effectively use the risk management concepts defined in (________) when developing overlays.
Security Authorization Step
Organizations can require external providers to implement all steps in the RMF except the (_______), which remains an inherent federal responsibility directly linked to managing the information security risk related to the use of external information system services.
supplemental controls
Organizations may be subject to conditions that, from an operational, environmental, or threat perspective, warrant the selection and implementation of (________)(________) to achieve adequate protection of organizational missions/business functions and the information systems supporting those missions/functions. Examples of conditions and additional controls that might be required are advanced persistent threat, cross-domain services, mobility, classified information.
Security Control Identifier "PS"
Personnel Security
Security Control Identifier "PE"
Physical and Environmental Protection
Security Control Identifier "PL"
Planning
Security Control Identifier "PM"
Program Management
RMF Step 1: Categorize
RMF step in which information systems are classified based on a FIPS Publication 199 impact assessment
RMF Step 2: Select
RMF step in which security control baselines are based on the results of the security categorization and apply tailoring guidance (including the potential use of overlays)
RMF Step 5: Authorize
RMF step in which system operation is based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable
RMF Step 3: Implement
RMF step that directs the documentation the design, development, and implementation details for the controls.
RMF Step 4: Assess
RMF step that is used to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
RMF Step 6: Monitor
RMF step where the security controls in the information system and environment of operation are checked on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards.
Security Control Identifier "RA"
Risk Assessment
Security Control Identifier "CA"
Security Assessment and Authorization
System-specific Controls
Security controls not designated as common, and are the primary responsibility of the information system owner and their respective authorizing officials.
Common Controls
Security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems.
high water mark concept
Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the (_______) (________) (________) (introduced in FIPS Publication 199) is used in FIPS Publication 200 to determine the impact level of the information system for the express purpose of selecting the applicable security control baseline from one of the three baselines identified in Appendix D.
Security Control Identifier "SC"
System and Communications Protection
Security Control Identifier "SI"
System and Information Integrity
Security Control Identifier "SA"
System and Services Acquisition
NIST SP 800-53 Appendix G
The eighteenth security control Program Management [PM] family provides controls for information security programs required by FISMA. This family, while not specifically referenced in FIPS Publication 200, provides security controls at the organization level rather than the information system level, and can be found in.
Common Controls, System-specific Controls, and Hybrid Controls.
There are three distinct types of designations related to the security controls in Appendix F that define: (i) the scope of applicability for the control; (ii) the shared nature of the control; and (iii) the responsibility for control development, implementation, assessment, and authorization.
Privacy Controls
These controls listed in Appendix J, have an organization and structure similar to security controls, including the use of two-character identifiers for the eight privacy families.
Baseline Controls
This is seen as the starting point for the security control selection process described NIST SP 800-53 and are chosen based on the security category and associated impact level of information systems determined in accordance with FIPS Publication 199 and FIPS Publication 200, respectively.
Tier 3, Information Systems
This publication focuses on Step 2 of the RMF, the security control selection process, in the context of the three tiers in the organizational risk management hierarchy.
security functionality and security assurance
Two fundamental components affecting the trustworthiness of information systems are (_____) and (_______).
Appendix E
Which NIST SP 800-53 appendix describes the minimum assurance requirements for federal information systems and organizations and highlights the assurance-related controls in the security control baselines in Appendix D needed to ensure that the requirements are satisfied.
Appendix D
Which NIST SP 800-53 appendix provides a listing of the security control baselines. Located in this appendix, three security control baselines have been identified corresponding to the low-impact, moderate-impact, and high-impact information systems using the high water mark defined in FIPS Publication 200 and used in Section 3.1 of this document to provide an initial set of security controls for each impact level.
800-53 Appendix F provides
a comprehensive catalog of security controls for information systems and organizations, arranged by control families.
three-tiered approach to risk managment
addresses risk at the: (i) organization level; (ii) mission/business process level; and (iii) information system level.
gap analysis approach
begins with an organizational assessment of its current defensive capability or level of cyber preparedness. From that initial capability assessment, organizations determine the types of threats they can reasonably expect to counter.
OMB Circular A-130
defines as adequate security, or security commensurate with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
reconfirm, review, implement
gap analysis can be applied in the following manner:
The implementation of security controls by sequence priority code does not
imply the achievement of any defined level of risk mitigation until all of the security controls in the security plan have been implemented. The priority codes are intended only for implementation sequencing, not for making security control selection decisions.
security controls
important tasks that can have major implications on the operations and assets of organizations as well as the welfare of individuals and the Nation
Hybrid Controls
one part of the control is common and another part of the control is system-specific
requirements definition approach
organizations obtain specific and credible threat information (or make reasonable assumptions) about the activities of adversaries with certain capabilities or attack potential (e.g., skill levels, expertise, available resources).
Tier 1 Organization Level
provides a prioritization of organizational missions/business functions which in turn drives investment strategies and funding decisions—promoting cost-effective, efficient information technology solutions consistent with the strategic goals and objectives of the organization and measures of performance.
NIST Special Publication 800-53A
provides guidance on assessing the effectiveness of security controls
NIST Special Publication 800-39
provides guidance on managing information security risk at three distinct tiers—the organization level, mission/business process level, and information system level.
CNSS Instruction 1253
provides security categorization guidance for national security systems
security controls
safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements.
Common controls are
security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems.
Alternative Strategies
strategies that consider the mission and business risks resulting from an aggressive use of information technology. Restrictions on the types of technologies used and how organizational information systems are employed provide an alternative method to reduce or mitigate risk that may be used in conjunction with, or instead of, supplemental security controls. Restrictions on the use of information systems and specific information technologies may be, in some situations, the only practical or reasonable actions organizations can take in order to have the capability to carry out assigned missions/business functions in the face of determined adversaries.
Assignment and selection statements proide
the capability to tailor security controls and control enhancements based on: (i) security requirements to support organizational missions/business functions and operational needs; (ii) risk assessments and organizational risk tolerance; and (iii) security requirements originating in federal laws, Executive Orders, directives, policies, regulations, standards, or guidelines
Baseline controls are the starting point for the security control selection process and are chosen based on
the security category and associated impact level of information systems determined in accordance
Security controls are deemed inheritable by information systems or information system components when
the systems or components receive protection from the implemented controls but the controls are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components—entities internal or external to the organizations where the systems or components reside. Many of the controls needed to protect organizational information systems (e.g., security awareness training, incident response plans, physical access to facilities, rules of behavior) are excellent candidates for common control status. In addition, there can also be a variety of technology-based common controls (e.g., Public Key Infrastructure [PKI], authorized secure standard configurations for clients/servers, access control systems, boundary protection, cross-domain solutions).
