Joint task force transformation initiative



Yüklə 5,64 Mb.
səhifə2/186
tarix08.01.2019
ölçüsü5,64 Mb.
#93199
1   2   3   4   5   6   7   8   9   ...   186

Table of Contents

introduction 21

1.1 purpose and applicability 22

1.2 target audience 23

1.3 relationship to other security control publications 23

1.4 organizational responsibilities 24

1.5 organization of this special publication 26

the fundamentals 27

2.1 multitiered risk management 27

2.2 security control structure 31

2.4 security control designations 36

2.5 external service providers 40

2.6 assurance and trustworthiness 43

2.7 revisions and extensions 52

the process 54

3.1 selecting security control baselines 54

3.2 tailoring baseline security controls 57

3.3 creating overlays 67

3.4 documenting the control selection process 68

3.5 new development and legacy systems 72

references 75

glossary 86

acronyms 112

security control baselines – summary 114

assurance and trustworthiness 158

security control catalog 166

information security programs 414

international information security standards 424

overlay template 457

privacy control catalog 461




Prologue

“…Through the process of risk management, leaders must consider risk to US interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “

“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…”

“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…"



-- The National Strategy for Cyberspace Operations

Office of the Chairman, Joint Chiefs of Staff, U.S. Department of Defense

Foreword

NIST Special Publication 800-53, Revision 4, represents the most comprehensive update to the security controls catalog since its inception in 2005. The publication was developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. This update was motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). State-of-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. In addition, Special Publication 800-53 has been expanded to include eight new families of privacy controls based on the internationally accepted Fair Information Practice Principles.

Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This “Build It Right” strategy is coupled with a variety of security controls for “Continuous Monitoring” to give organizations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.

To take advantage of the expanded set of security and privacy controls, and to give organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances.

Finally, there have been several new features added to this revision to facilitate ease of use by organizations. These include:


  • Assumptions relating to security control baseline development;

  • Expanded, updated, and streamlined tailoring guidance;

  • Additional assignment and selection statement options for security and privacy controls;

  • Descriptive names for security and privacy control enhancements;

  • Consolidated tables for security controls and control enhancements by family with baseline allocations;

  • Tables for security controls that support development, evaluation, and operational assurance; and

  • Mapping tables for international security standard ISO/IEC 15408 (Common Criteria).

The security and privacy controls in Special Publication 800-53, Revision 4, have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. The controls are well positioned to support the integration of information security and privacy into organizational processes including enterprise architecture, systems engineering, system development life cycle, and acquisition/procurement. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

The Joint Task Force

Errata



The following changes have been incorporated into Special Publication 800-53, Revision 4.

DATE

TYPE

CHANGE

PAGE

05-07-2013

Editorial

Changed CA-9 Priority Code from P1 to P2 in Table D-2.

D-3

05-07-2013

Editorial

Changed CM-10 Priority Code from P1 to P2 in Table D-2.

D-4

05-07-2013

Editorial

Changed MA-6 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed MP-3 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed PE-5 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed PE-16 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed PE-17 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed PE-18 Priority Code from P2 to P3 in Table D-2.

D-5

05-07-2013

Editorial

Changed PL-4 Priority Code from P1 to P2 in Table D-2.

D-6

05-07-2013

Editorial

Changed PS-4 Priority Code from P2 to P1 in Table D-2.

D-6

05-07-2013

Editorial

Changed SA-11 Priority Code from P2 to P1 in Table D-2.

D-6

05-07-2013

Editorial

Changed SC-18 Priority Code from P1 to P2 in Table D-2.

D-7

05-07-2013

Editorial

Changed SI-8 Priority Code from P1 to P2 in Table D-2.

D-8

05-07-2013

Editorial

Deleted reference to SA-5 (6) in Table D-17.

D-32

05-07-2013

Editorial

Deleted CM-4 (3) from Table E-2.

E-4

05-07-2013

Editorial

Deleted CM-4 (3) from Table E-3.

E-5

05-07-2013

Editorial

Deleted reference to SA-5 (6).

F-161

05-07-2013

Editorial

Changed SI-16 Priority Code from P0 to P1.

F-233

01-15-2014

Editorial

Deleted “(both intentional and unintentional)” in line 5 in Abstract.

iii

01-15-2014

Editorial

Deleted “security and privacy” in line 5 in Abstract.

iii

01-15-2014

Editorial

Changed “an initial set of baseline security controls” to “the applicable security control baseline” in Section 2.1, RMF Step 2.

9

01-15-2014

Editorial

Deleted the following paragraph: “The security control enhancements section provides…in Appendix F.”

11

01-15-2014

Editorial

Changed “baseline security controls” to “the security control baselines” in Section 2.3, 2nd paragraph, line 6.

13

01-15-2014

Editorial

Changed “an initial set of security controls” to “the applicable security control baseline” in Section 3.1, paragraph 2, line 4.

28

01-15-2014

Editorial

Changed “security control baselines” to “baselines identified in Appendix D” in Section 3.1, paragraph 2, line 5.

28

01-15-2014

Editorial

Changed “an appropriate set of baseline controls” to “the appropriate security control baseline” in Section 3.1, paragraph 3, line 3.

29

01-15-2014

Editorial

Deleted “initial” before “security control baseline” and added “FIPS 200” before “impact level” in Section 3.1, paragraph 3, line 4.

29

01-15-2014

Editorial

Changed “sets of baseline security controls” to “security control baselines” in Section 3.1, paragraph 3, line 6.

29

01-15-2014

Editorial

Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 1, line 1.

30

01-15-2014

Editorial

Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 3, line 5.

31

01-15-2014

Editorial

Deleted “set of” before “security controls” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 1.

33

01-15-2014

Editorial

Deleted “initial” before “set of” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 2.

33

01-15-2014

Editorial

Changed “the baselines” to “each baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 3.

33

01-15-2014

Editorial

Changed “initial set of security controls” to “security control baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 5.

33

01-15-2014

Editorial

Added “specific” before “locations” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 6.

33

01-15-2014

Editorial

Changed “initial” to “three” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 8.

33

01-15-2014

Editorial

Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, Selecting Compensating Security Controls, line 10.

36

01-15-2014

Editorial

Changed “a set of initial baseline security controls” to “security control baselines” in Section 3.3, line 1.

40

01-15-2014

Editorial

Added “.” after “C.F.R” in #3, Policies, Directives, Instructions, Regulations, and Memoranda.

A-1

01-15-2014

Editorial

Added “Revision 1 (Draft)” to NIST Special Publication 800-52 in References.

A-7

01-15-2014

Editorial

Added “Configuration,” to title of NIST Special Publication 800-52, Revision 1.

A-7

01-15-2014

Editorial

Changed date for NIST Special Publication 800-52, Revision 1 to September 2013.

A-7

01-15-2014

Editorial

Moved definition for Information Security Risk after Information Security Program Plan in Glossary.

B-11

01-15-2014

Editorial

Added AC-2 (11) to high baseline in Table D-2.

D-2

01-15-2014

Editorial

Changed AC-10 Priority Code from P2 to P3 in Table D-2.

D-2

01-15-2014

Editorial

Changed AC-14 Priority Code from P1 to P3 in Table D-2.

D-2

01-15-2014

Editorial

Changed AC-22 Priority Code from P2 to P3 in Table D-2.

D-2

01-15-2014

Editorial

Changed AU-10 Priority Code from P1 to P2 in Table D-2.

D-3

01-15-2014

Editorial

Changed CA-6 Priority Code from P3 to P2 in Table D-2.

D-3

01-15-2014

Editorial

Changed CA-7 Priority Code from P3 to P2 in Table D-2.

D-3

01-15-2014

Editorial

Changed CA-8 Priority Code from P1 to P2 in Table D-2.

D-3

01-15-2014

Editorial

Changed IA-6 Priority Code from P1 to P2 in Table D-2.

D-4

01-15-2014

Editorial

Changed IR-7 Priority Code from P3 to P2 in Table D-2.

D-5

01-15-2014

Editorial

Changed MA-3 Priority Code from P2 to P3 in Table D-2.

D-5

01-15-2014

Editorial

Changed MA-4 Priority Code from P1 to P2 in Table D-2.

D-5

01-15-2014

Editorial

Changed MA-5 Priority Code from P1 to P2 in Table D-2.

D-5

01-15-2014

Editorial

Deleted Program Management Controls from Table D-2.

D-8/9

01-15-2014

Editorial

Deleted the following sentence at end of paragraph:

“There is no summary table provided for the Program Management (PM) family since PM controls are not associated with any particular security control baseline.”



D-9

01-15-2014

Editorial

Added AC-2 (12) and AC-2 (13) to high baseline in Table D-3.

D-10

01-15-2014

Editorial

Changed AC-17 (5) incorporated into reference from AC-17 to SI-4 in Table D-3.

D-12

01-15-2014

Editorial

Changed AC-17 (7) incorporated into reference from AC-3 to AC-3 (10) in Table D-3.

D-12

01-15-2014

Editorial

Changed AC-6 to AC-6 (9) in AU-2 (4) withdrawal notice in Table D-5.

D-15

01-15-2014

Editorial

Changed “Training” to “Scanning” in SA-19 (4) title in Table D-17.

D-34

01-15-2014

Editorial

Deleted SC-9 (1), SC-9 (2), SC-9 (3), and SC-9 (4) from Table D-18.

D-37

01-15-2014

Editorial

Added AC-2 and AC-5 to SC-14 and deleted SI-9 from SC-14 in Table D-18.

D-37

01-15-2014

Editorial

Deleted CA-3 (5) from Table E-2.

E-4

01-15-2014

Editorial

Added CM-3 (2) to Table E-2.

E-4

01-15-2014

Editorial

Added RA-5 (2) and RA-5 (5) to Table E-2.

E-4

01-15-2014

Editorial

Deleted CA-3 (5) from Table E-3.

E-5

01-15-2014

Editorial

Added CM-3 (2) to Table E-3.

E-5

01-15-2014

Editorial

Deleted bold text from RA-5 (2) and RA-5 (5) in Table E-3.

E-5

01-15-2014

Editorial

Added CM-8 (9) to Table E-4.

E-7

01-15-2014

Editorial

Added CP-4 (4) to Table E-4.

E-7

01-15-2014

Editorial

Added IR-3 (1) to Table E-4.

E-7

01-15-2014

Editorial

Added RA-5 (3) to Table E-4.

E-7

01-15-2014

Editorial

Deleted SA-4 (4) from Table E-4.

E-7

01-15-2014

Editorial

Changed SA-21 (1) from “enhancements” to “enhancement” in Table E-4.

E-7

01-15-2014

Editorial

Deleted SI-4 (8) from Table E-4.

E-7

01-15-2014

Editorial

Changed “risk management process” to “RMF” in Using the Catalog, line 4.

F-6

01-15-2014

Editorial

Changed “an appropriate set of security controls” to “the appropriate security control baselines” in Using the Catalog, line 5.

F-6

01-15-2014

Editorial

Deleted extraneous “,” from AC-2 g.

F-7

01-15-2014

Editorial

Added AC-2 (11) to high baseline.

F-10

01-15-2014

Substantive

Added the following text to AC-3 (2) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-11

01-15-2014

Editorial

Changed “ucdmo.gov” to “None” in AC-4 References.

F-18

01-15-2014

Editorial

Added “.” after “C.F.R” in AT-2 References.

F-38

01-15-2014

Editorial

Changed AC-6 to AC-6 (9) in AU-2 (4) withdrawal notice.

F-42

01-15-2014

Editorial

Deleted “csrc.nist.gov/pcig/cig.html” and added “http://” to URL in AU-2 References.

F-42

01-15-2014

Editorial

Changed “identify” to “identity” in AU-6 (6) Supplemental Guidance.

F-46

01-15-2014

Substantive

Added the following text to AU-9 (5) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-49

01-15-2014

Editorial

Added “Control Enhancements: None.” to AU-15.

F-53

01-15-2014

Editorial

Deleted extraneous “.” from CM-2 (7) Supplemental Guidance.

F-66

01-15-2014

Editorial

Added “)” after “board” in CM-3 g.

F-66

01-15-2014

Substantive

Added CA-7 to related controls list in CM-3.

F-66

01-15-2014

Substantive

Added the following text to CM-5 (4) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-69

01-15-2014

Editorial

Added “http://” to URLs in CM-6 References.

F-71

01-15-2014

Editorial

Added “component” before “inventories” in CM-8 (5).

F-74

01-15-2014

Editorial

Changed “tsp.ncs.gov” to “http://www.dhs.gov/telecommunications-service-priority-tsp” in CP-8 References.

F-86

01-15-2014

Substantive

Added the following text to CP-9 (7) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-87

01-15-2014

Editorial

Changed “HSPD 12” to “HSPD-12” and added “http://” to URL in IA-2 References.

F-93

01-15-2014

Editorial

Changed “encrypted representations of” to “cryptographically-protected” in IA-5 (1) (c).

F-96

01-15-2014

Editorial

Changed “Encrypted representations of” to “Cryptographically-protected” in IA-5 (1) Supplemental Guidance.

F-97

01-15-2014

Substantive

Added the following text to IA-5 (1) Supplemental Guidance:

“To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.”



F-97

01-15-2014

Editorial

Added “http://” to URL in IA-5 References.

F-99

01-15-2014

Editorial

Added “http://” to URL in IA-7 References.

F-99

01-15-2014

Editorial

Added “http://” to URL in IA-8 References.

F-101

01-15-2014

Editorial

Changed “:” to “;” after “800-61” and added “http://” to URL in IR-6 References.

F-108

01-15-2014

Substantive

Added the following text to MP-6 (7) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-124

01-15-2014

Editorial

Added “http://” to URL in MP-6 References.

F-124

01-15-2014

Editorial

Changed “DoDI” to “DoD Instruction” and added “http://” to URLs in PE-3 References.

F-130

01-15-2014

Editorial

Deleted “and supplementation” after “tailoring” in PL-2 a. 8.

F-140

01-15-2014

Editorial

Added “Special” before “Publication” in PL-4 References.

F-141

01-15-2014

Editorial

Added “Control Enhancements: None.” to PL-7.

F-142

01-15-2014

Editorial

Deleted AT-5 and AC-19 (6) (8) (9) from PL-9 Supplemental Guidance.

F-144

01-15-2014

Editorial

Added “Control Enhancements: None.” to PL-9.

F-144

01-15-2014

Editorial

Added “Special” before “Publication” in PL-9 References.

F-144

01-15-2014

Editorial

Changed “731.106(a)” to “731.106” in PS-2 References.

F-145

01-15-2014

Editorial

Changed “Publication” to “Publications” and added “http://” to URL in RA-3 References.

F-153

01-15-2014

Editorial

Added “http://” to URLs in RA-5 References.

F-155

01-15-2014

Editorial

Added “http://” to URLs in SA-4 References.

F-160

01-15-2014

Substantive

Added the following text to SA-11 (8) Supplemental Guidance:

“To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms).”



F-169

01-15-2014

Editorial

Added “http://” to URLs in SA-11 References.

F-169

01-15-2014

Editorial

Added “Control Enhancements: None.” to SA-16.

F-177

01-15-2014

Editorial

Changed “Training” to “Scanning” in SA-19 (4) title.

F-181

01-15-2014

Editorial

Changed “physical” to “protected” in SC-8 Supplemental Guidance.

F-193

01-15-2014

Editorial

Changed “140-2” to “140” and added “http://” to URLs in SC-13 References.

F-196

01-15-2014

Editorial

Added “authentication” after “data origin” in SC-20, Part a.

F-199

01-15-2014

Editorial

Added “verification” after “integrity” in SC-20, Part a.

F-199

01-15-2014

Editorial

Added “Control Enhancements: None.” to SC-35.

F-209

01-15-2014

Editorial

Deleted extraneous “References: None” from SI-7.

F-228

01-15-2014

Substantive

Added the following text as new third paragraph in Appendix G::

“Table G-1 provides a summary of the security controls in the program management family from Appendix G. Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control.”



G-1/2

01-15-2014

Editorial

Added Table G-1 to Appendix G.

G-2

01-15-2014

Editorial

Added “http://” to URL in PM-5 References.

G-5

01-15-2014

Editorial

Deleted “Web: www.fsam.gov” from PM-7 References.

G-5

01-15-2014

Editorial

Added “http://” to URL in Footnote 124.

J-22





chapter one

Yüklə 5,64 Mb.

Dostları ilə paylaş:
1   2   3   4   5   6   7   8   9   ...   186




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin