Joint task force transformation initiative

Yüklə 5,64 Mb.

səhifə	2/186
tarix	08.01.2019
ölçüsü	5,64 Mb.
	#93199

1 2 3 4 5 6 7 8 9 ... 186

P rolog ue
The Joint Task Force

Table of Contents

introduction 21

1.1 purpose and applicability 22

1.2 target audience 23

1.3 relationship to other security control publications 23

1.4 organizational responsibilities 24

1.5 organization of this special publication 26

the fundamentals 27

2.1 multitiered risk management 27

2.2 security control structure 31

2.4 security control designations 36

2.5 external service providers 40

2.6 assurance and trustworthiness 43

2.7 revisions and extensions 52

the process 54

3.1 selecting security control baselines 54

3.2 tailoring baseline security controls 57

3.3 creating overlays 67

3.4 documenting the control selection process 68

3.5 new development and legacy systems 72

references 75

glossary 86

acronyms 112

security control baselines – summary 114

assurance and trustworthiness 158

security control catalog 166

information security programs 414

international information security standards 424

overlay template 457

privacy control catalog 461

Prologue

“…Through the process of risk management, leaders must consider risk to US interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “

“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…”

“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…"

-- The National Strategy for Cyberspace Operations

Office of the Chairman, Joint Chiefs of Staff, U.S. Department of Defense

Foreword

NIST Special Publication 800-53, Revision 4, represents the most comprehensive update to the security controls catalog since its inception in 2005. The publication was developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. This update was motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). State-of-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. In addition, Special Publication 800-53 has been expanded to include eight new families of privacy controls based on the internationally accepted Fair Information Practice Principles.

Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This “Build It Right” strategy is coupled with a variety of security controls for “Continuous Monitoring” to give organizations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.

To take advantage of the expanded set of security and privacy controls, and to give organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances.

Finally, there have been several new features added to this revision to facilitate ease of use by organizations. These include:

Assumptions relating to security control baseline development;
Expanded, updated, and streamlined tailoring guidance;
Additional assignment and selection statement options for security and privacy controls;
Descriptive names for security and privacy control enhancements;
Consolidated tables for security controls and control enhancements by family with baseline allocations;
Tables for security controls that support development, evaluation, and operational assurance; and
Mapping tables for international security standard ISO/IEC 15408 (Common Criteria).

The security and privacy controls in Special Publication 800-53, Revision 4, have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. The controls are well positioned to support the integration of information security and privacy into organizational processes including enterprise architecture, systems engineering, system development life cycle, and acquisition/procurement. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

The Joint Task Force

Errata

The following changes have been incorporated into Special Publication 800-53, Revision 4.

DATE	TYPE	CHANGE	PAGE
05-07-2013	Editorial	Changed CA-9 Priority Code from P1 to P2 in Table D-2.	D-3
05-07-2013	Editorial	Changed CM-10 Priority Code from P1 to P2 in Table D-2.	D-4
05-07-2013	Editorial	Changed MA-6 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed MP-3 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed PE-5 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed PE-16 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed PE-17 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed PE-18 Priority Code from P2 to P3 in Table D-2.	D-5
05-07-2013	Editorial	Changed PL-4 Priority Code from P1 to P2 in Table D-2.	D-6
05-07-2013	Editorial	Changed PS-4 Priority Code from P2 to P1 in Table D-2.	D-6
05-07-2013	Editorial	Changed SA-11 Priority Code from P2 to P1 in Table D-2.	D-6
05-07-2013	Editorial	Changed SC-18 Priority Code from P1 to P2 in Table D-2.	D-7
05-07-2013	Editorial	Changed SI-8 Priority Code from P1 to P2 in Table D-2.	D-8
05-07-2013	Editorial	Deleted reference to SA-5 (6) in Table D-17.	D-32
05-07-2013	Editorial	Deleted CM-4 (3) from Table E-2.	E-4
05-07-2013	Editorial	Deleted CM-4 (3) from Table E-3.	E-5
05-07-2013	Editorial	Deleted reference to SA-5 (6).	F-161
05-07-2013	Editorial	Changed SI-16 Priority Code from P0 to P1.	F-233
01-15-2014	Editorial	Deleted “(both intentional and unintentional)” in line 5 in Abstract.	iii
01-15-2014	Editorial	Deleted “security and privacy” in line 5 in Abstract.	iii
01-15-2014	Editorial	Changed “an initial set of baseline security controls” to “the applicable security control baseline” in Section 2.1, RMF Step 2.	9
01-15-2014	Editorial	Deleted the following paragraph: “The security control enhancements section provides…in Appendix F.”	11
01-15-2014	Editorial	Changed “baseline security controls” to “the security control baselines” in Section 2.3, 2^nd paragraph, line 6.	13
01-15-2014	Editorial	Changed “an initial set of security controls” to “the applicable security control baseline” in Section 3.1, paragraph 2, line 4.	28
01-15-2014	Editorial	Changed “security control baselines” to “baselines identified in Appendix D” in Section 3.1, paragraph 2, line 5.	28
01-15-2014	Editorial	Changed “an appropriate set of baseline controls” to “the appropriate security control baseline” in Section 3.1, paragraph 3, line 3.	29
01-15-2014	Editorial	Deleted “initial” before “security control baseline” and added “FIPS 200” before “impact level” in Section 3.1, paragraph 3, line 4.	29
01-15-2014	Editorial	Changed “sets of baseline security controls” to “security control baselines” in Section 3.1, paragraph 3, line 6.	29
01-15-2014	Editorial	Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 1, line 1.	30
01-15-2014	Editorial	Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 3, line 5.	31
01-15-2014	Editorial	Deleted “set of” before “security controls” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 1.	33
01-15-2014	Editorial	Deleted “initial” before “set of” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 2.	33
01-15-2014	Editorial	Changed “the baselines” to “each baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 3.	33
01-15-2014	Editorial	Changed “initial set of security controls” to “security control baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 5.	33
01-15-2014	Editorial	Added “specific” before “locations” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 6.	33
01-15-2014	Editorial	Changed “initial” to “three” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 8.	33
01-15-2014	Editorial	Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, Selecting Compensating Security Controls, line 10.	36
01-15-2014	Editorial	Changed “a set of initial baseline security controls” to “security control baselines” in Section 3.3, line 1.	40
01-15-2014	Editorial	Added “.” after “C.F.R” in #3, Policies, Directives, Instructions, Regulations, and Memoranda.	A-1
01-15-2014	Editorial	Added “Revision 1 (Draft)” to NIST Special Publication 800-52 in References.	A-7
01-15-2014	Editorial	Added “Configuration,” to title of NIST Special Publication 800-52, Revision 1.	A-7
01-15-2014	Editorial	Changed date for NIST Special Publication 800-52, Revision 1 to September 2013.	A-7
01-15-2014	Editorial	Moved definition for Information Security Risk after Information Security Program Plan in Glossary.	B-11
01-15-2014	Editorial	Added AC-2 (11) to high baseline in Table D-2.	D-2
01-15-2014	Editorial	Changed AC-10 Priority Code from P2 to P3 in Table D-2.	D-2
01-15-2014	Editorial	Changed AC-14 Priority Code from P1 to P3 in Table D-2.	D-2
01-15-2014	Editorial	Changed AC-22 Priority Code from P2 to P3 in Table D-2.	D-2
01-15-2014	Editorial	Changed AU-10 Priority Code from P1 to P2 in Table D-2.	D-3
01-15-2014	Editorial	Changed CA-6 Priority Code from P3 to P2 in Table D-2.	D-3
01-15-2014	Editorial	Changed CA-7 Priority Code from P3 to P2 in Table D-2.	D-3
01-15-2014	Editorial	Changed CA-8 Priority Code from P1 to P2 in Table D-2.	D-3
01-15-2014	Editorial	Changed IA-6 Priority Code from P1 to P2 in Table D-2.	D-4
01-15-2014	Editorial	Changed IR-7 Priority Code from P3 to P2 in Table D-2.	D-5
01-15-2014	Editorial	Changed MA-3 Priority Code from P2 to P3 in Table D-2.	D-5
01-15-2014	Editorial	Changed MA-4 Priority Code from P1 to P2 in Table D-2.	D-5
01-15-2014	Editorial	Changed MA-5 Priority Code from P1 to P2 in Table D-2.	D-5
01-15-2014	Editorial	Deleted Program Management Controls from Table D-2.	D-8/9
01-15-2014	Editorial	Deleted the following sentence at end of paragraph: “There is no summary table provided for the Program Management (PM) family since PM controls are not associated with any particular security control baseline.”	D-9
01-15-2014	Editorial	Added AC-2 (12) and AC-2 (13) to high baseline in Table D-3.	D-10
01-15-2014	Editorial	Changed AC-17 (5) incorporated into reference from AC-17 to SI-4 in Table D-3.	D-12
01-15-2014	Editorial	Changed AC-17 (7) incorporated into reference from AC-3 to AC-3 (10) in Table D-3.	D-12
01-15-2014	Editorial	Changed AC-6 to AC-6 (9) in AU-2 (4) withdrawal notice in Table D-5.	D-15
01-15-2014	Editorial	Changed “Training” to “Scanning” in SA-19 (4) title in Table D-17.	D-34
01-15-2014	Editorial	Deleted SC-9 (1), SC-9 (2), SC-9 (3), and SC-9 (4) from Table D-18.	D-37
01-15-2014	Editorial	Added AC-2 and AC-5 to SC-14 and deleted SI-9 from SC-14 in Table D-18.	D-37
01-15-2014	Editorial	Deleted CA-3 (5) from Table E-2.	E-4
01-15-2014	Editorial	Added CM-3 (2) to Table E-2.	E-4
01-15-2014	Editorial	Added RA-5 (2) and RA-5 (5) to Table E-2.	E-4
01-15-2014	Editorial	Deleted CA-3 (5) from Table E-3.	E-5
01-15-2014	Editorial	Added CM-3 (2) to Table E-3.	E-5
01-15-2014	Editorial	Deleted bold text from RA-5 (2) and RA-5 (5) in Table E-3.	E-5
01-15-2014	Editorial	Added CM-8 (9) to Table E-4.	E-7
01-15-2014	Editorial	Added CP-4 (4) to Table E-4.	E-7
01-15-2014	Editorial	Added IR-3 (1) to Table E-4.	E-7
01-15-2014	Editorial	Added RA-5 (3) to Table E-4.	E-7
01-15-2014	Editorial	Deleted SA-4 (4) from Table E-4.	E-7
01-15-2014	Editorial	Changed SA-21 (1) from “enhancements” to “enhancement” in Table E-4.	E-7
01-15-2014	Editorial	Deleted SI-4 (8) from Table E-4.	E-7
01-15-2014	Editorial	Changed “risk management process” to “RMF” in Using the Catalog, line 4.	F-6
01-15-2014	Editorial	Changed “an appropriate set of security controls” to “the appropriate security control baselines” in Using the Catalog, line 5.	F-6
01-15-2014	Editorial	Deleted extraneous “,” from AC-2 g.	F-7
01-15-2014	Editorial	Added AC-2 (11) to high baseline.	F-10
01-15-2014	Substantive	Added the following text to AC-3 (2) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-11
01-15-2014	Editorial	Changed “ucdmo.gov” to “None” in AC-4 References.	F-18
01-15-2014	Editorial	Added “.” after “C.F.R” in AT-2 References.	F-38
01-15-2014	Editorial	Changed AC-6 to AC-6 (9) in AU-2 (4) withdrawal notice.	F-42
01-15-2014	Editorial	Deleted “csrc.nist.gov/pcig/cig.html” and added “http://” to URL in AU-2 References.	F-42
01-15-2014	Editorial	Changed “identify” to “identity” in AU-6 (6) Supplemental Guidance.	F-46
01-15-2014	Substantive	Added the following text to AU-9 (5) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-49
01-15-2014	Editorial	Added “Control Enhancements: None.” to AU-15.	F-53
01-15-2014	Editorial	Deleted extraneous “.” from CM-2 (7) Supplemental Guidance.	F-66
01-15-2014	Editorial	Added “)” after “board” in CM-3 g.	F-66
01-15-2014	Substantive	Added CA-7 to related controls list in CM-3.	F-66
01-15-2014	Substantive	Added the following text to CM-5 (4) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-69
01-15-2014	Editorial	Added “http://” to URLs in CM-6 References.	F-71
01-15-2014	Editorial	Added “component” before “inventories” in CM-8 (5).	F-74
01-15-2014	Editorial	Changed “tsp.ncs.gov” to “http://www.dhs.gov/telecommunications-service-priority-tsp” in CP-8 References.	F-86
01-15-2014	Substantive	Added the following text to CP-9 (7) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-87
01-15-2014	Editorial	Changed “HSPD 12” to “HSPD-12” and added “http://” to URL in IA-2 References.	F-93
01-15-2014	Editorial	Changed “encrypted representations of” to “cryptographically-protected” in IA-5 (1) (c).	F-96
01-15-2014	Editorial	Changed “Encrypted representations of” to “Cryptographically-protected” in IA-5 (1) Supplemental Guidance.	F-97
01-15-2014	Substantive	Added the following text to IA-5 (1) Supplemental Guidance: “To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.”	F-97
01-15-2014	Editorial	Added “http://” to URL in IA-5 References.	F-99
01-15-2014	Editorial	Added “http://” to URL in IA-7 References.	F-99
01-15-2014	Editorial	Added “http://” to URL in IA-8 References.	F-101
01-15-2014	Editorial	Changed “:” to “;” after “800-61” and added “http://” to URL in IR-6 References.	F-108
01-15-2014	Substantive	Added the following text to MP-6 (7) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-124
01-15-2014	Editorial	Added “http://” to URL in MP-6 References.	F-124
01-15-2014	Editorial	Changed “DoDI” to “DoD Instruction” and added “http://” to URLs in PE-3 References.	F-130
01-15-2014	Editorial	Deleted “and supplementation” after “tailoring” in PL-2 a. 8.	F-140
01-15-2014	Editorial	Added “Special” before “Publication” in PL-4 References.	F-141
01-15-2014	Editorial	Added “Control Enhancements: None.” to PL-7.	F-142
01-15-2014	Editorial	Deleted AT-5 and AC-19 (6) (8) (9) from PL-9 Supplemental Guidance.	F-144
01-15-2014	Editorial	Added “Control Enhancements: None.” to PL-9.	F-144
01-15-2014	Editorial	Added “Special” before “Publication” in PL-9 References.	F-144
01-15-2014	Editorial	Changed “731.106(a)” to “731.106” in PS-2 References.	F-145
01-15-2014	Editorial	Changed “Publication” to “Publications” and added “http://” to URL in RA-3 References.	F-153
01-15-2014	Editorial	Added “http://” to URLs in RA-5 References.	F-155
01-15-2014	Editorial	Added “http://” to URLs in SA-4 References.	F-160
01-15-2014	Substantive	Added the following text to SA-11 (8) Supplemental Guidance: “To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms).”	F-169
01-15-2014	Editorial	Added “http://” to URLs in SA-11 References.	F-169
01-15-2014	Editorial	Added “Control Enhancements: None.” to SA-16.	F-177
01-15-2014	Editorial	Changed “Training” to “Scanning” in SA-19 (4) title.	F-181
01-15-2014	Editorial	Changed “physical” to “protected” in SC-8 Supplemental Guidance.	F-193
01-15-2014	Editorial	Changed “140-2” to “140” and added “http://” to URLs in SC-13 References.	F-196
01-15-2014	Editorial	Added “authentication” after “data origin” in SC-20, Part a.	F-199
01-15-2014	Editorial	Added “verification” after “integrity” in SC-20, Part a.	F-199
01-15-2014	Editorial	Added “Control Enhancements: None.” to SC-35.	F-209
01-15-2014	Editorial	Deleted extraneous “References: None” from SI-7.	F-228
01-15-2014	Substantive	Added the following text as new third paragraph in Appendix G:: “Table G-1 provides a summary of the security controls in the program management family from Appendix G. Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control.”	G-1/2
01-15-2014	Editorial	Added Table G-1 to Appendix G.	G-2
01-15-2014	Editorial	Added “http://” to URL in PM-5 References.	G-5
01-15-2014	Editorial	Deleted “Web: www.fsam.gov” from PM-7 References.	G-5
01-15-2014	Editorial	Added “http://” to URL in Footnote 124.	J-22

chapter one

Yüklə 5,64 Mb.

Dostları ilə paylaş:

1 2 3 4 5 6 7 8 9 ... 186