The remainder of this special publication is organized as follows:
Chapter Two describes the fundamental concepts associated with security control selection and specification including: (i) multitiered risk management; (ii) the structure of security controls and how the controls are organized into families; (iii) security control baselines as starting points for the tailoring process; (iv) the use of common controls and inheritance of security capabilities; (v) external environments and service providers; (vi) assurance and trustworthiness; and (vii) revisions and extensions to security controls and control baselines.
Chapter Three describes the process of selecting and specifying security controls for organizational information systems including: (i) selecting appropriate security control baselines; (ii) tailoring the baseline controls including developing specialized overlays; (iii) documenting the security control selection process; and (iv) applying the selection process to new and legacy systems.
Supporting appendices provide essential security control selection and specification-related information including: (i) general references;25 (ii) definitions and terms; (iii) acronyms; (iv) baseline security controls for low-impact, moderate-impact, and high-impact information systems; (v) guidance on assurance and trustworthiness in information systems; (vi) a catalog of security controls;26 (vii) a catalog of information security program management controls; (viii) mappings to international information security standards; (ix) guidance for developing overlays by organizations or communities of interest; and (x) a catalog of privacy controls.
chapter two
the fundamentals
SECURITY CONTROL STRUCTURE, ORGANIZATION, BASELINES, AND ASSURANCE
This chapter presents the fundamental concepts associated with security control selection and specification including: (i) three-tiered risk management; (ii) the structure of security controls and the organization of the controls in the control catalog; (iii) security control baselines; (iv) the identification and use of common security controls; (v) security controls in external environments; (vi) security control assurance; and (vii) future revisions to the security controls, the control catalog, and baseline controls.
2.1 multitiered risk management
The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program for the management of risk—that is, the risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation of information systems. Risk-based approaches to security control selection and specification consider effectiveness, efficiency, and constraints due to applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines. To integrate the risk management process throughout the organization and more effectively address mission/business concerns, a three-tiered approach is employed that addresses risk at the: (i) organization level; (ii) mission/business process level; and (iii) information system level. The risk management process is carried out across the three tiers with the overall objective of continuous improvement in the organization’s risk-related activities and effective inter-tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organization. Figure 1 illustrates the three-tiered approach to risk management.
TIER 1
organization
TIER 2
mission / business processes
TIER 3
information systems
Inter-Tier and Intra-Tier Communications
Feedback Loop for Continuous Improvement
tactical risk strategic risk
Traceability and Transparency of Risk-Based Decisions
Organization-Wide Risk Awareness
FIGURE 1: THREE-TIERED RISK MANAGEMENT APPROACH
Tier 1 provides a prioritization of organizational missions/business functions which in turn drives investment strategies and funding decisions—promoting cost-effective, efficient information technology solutions consistent with the strategic goals and objectives of the organization and measures of performance. Tier 2 includes: (i) defining the mission/business processes needed to support the organizational missions/business functions; (ii) determining the security categories of the information systems needed to execute the mission/business processes; (iii) incorporating information security requirements into the mission/business processes; and (iv) establishing an enterprise architecture (including an embedded information security architecture) to facilitate the allocation of security controls to organizational information systems and the environments in which those systems operate. The Risk Management Framework (RMF), depicted in Figure 2, is the primary means for addressing risk at Tier 3.27 This publication focuses on Step 2 of the RMF, the security control selection process, in the context of the three tiers in the organizational risk management hierarchy.
RISK
MANAGEMENT
FRAMEWORK
Security Life Cycle Repeat as necessary
Step 1
CATEGORIZE
Information Systems
FIPS 199 / SP 800-60
Step 6
MONITOR
Security Controls
SP 800-137
Step 3
IMPLEMENT
Security Controls
SP 800-160
Step 2
SELECT
Security Controls
FIPS 200 / SP 800-53
Step 5
AUTHORIZE
Information Systems
SP 800-37
Step 4
ASSESS
Security Controls
SP 800-53A
Organizational Inputs
Laws, Directives, Policy, Guidance
Strategic Goals and Objectives
Information Security Requirements
Priorities and Resource Availability
Architecture Description
Mission/Business Processes
FEA Reference Models
Segment and Solution Architectures
Information System Boundaries
Starting Point
Note: CNSS Instruction 1253 provides guidance for RMF Steps 1 and 2 for National Security Systems (NSS).
FIGURE 2: RISK MANAGEMENT FRAMEWORK
The RMF addresses the security concerns of organizations related to the design, development, implementation, operation, and disposal of information systems and the environments in which those systems operate. The RMF consists of the following six steps:
Step 1:Categorize the information system based on a FIPS Publication 199 impact assessment;28
Step 2:Select the applicable security control baseline based on the results of the security categorization and apply tailoring guidance (including the potential use of overlays);
Step 3:Implement the security controls and document the design, development, and implementation details for the controls;
Step 4:Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;29
Step 5:Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and
Step 6:Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards.