What are security and privacy control baselines?
Security and privacy control baselines are pre-defined sets of security and privacy controls designed to address common protection needs of systems and organizations. They serve as a starting point for organizations to select controls based on the potential impact of losing confidentiality, integrity, or availability of their information systems.
How do I choose the right security control baseline for my system?
The appropriate security control baseline is determined by the system’s impact level as defined in FIPS 200:
– Low-impact system: The loss of confidentiality, integrity, or availability would have a limited adverse effect.
– Moderate-impact system: The loss would have a serious adverse effect.
– High-impact system: The loss would have a severe or catastrophic adverse effect.
Once the impact level is determined, organizations select the corresponding security control baseline (low, moderate, or high) outlined in Chapter 3 of NIST SP 800-53B.
What are some assumptions made when defining security control baselines?
Control baselines are developed based on common operational environments and threat landscapes. Some key assumptions include:
– Organizations have a security and privacy program in place.
– Systems primarily process, store, or transmit persistent data.
– Organizations have dedicated security and privacy personnel.
– Threats are considered to the extent feasible.
Can I modify a control baseline, and if so, how?
Organizations can tailor control baselines to better suit their specific security and privacy needs using a risk-based approach. The tailoring process may involve:
– Identifying and designating common controls.
– Applying scoping considerations.
– Selecting compensating controls.
– Assigning values to organization-defined control parameters.
– Supplementing baselines with additional controls.
– Providing specific control implementation details.
What are control overlays and how are they used?
Control overlays are specifications of security and privacy controls that complement and further refine security control baselines. They provide tailored sets of controls for specific communities of interest, technologies, or unique operational environments.
How do capabilities relate to control selection?
Capabilities represent a desired security outcome achieved through a set of controls. Organizations can define capabilities as a precursor to control selection, ensuring they implement multiple, mutually reinforcing controls to achieve a specific security goal. For instance, secure remote authentication can be achieved by a combination of controls like IA-2 (1), IA-2 (2), IA-2 (8), IA-2 (9), and SC-8 (1).
What is the purpose of an organization defining and documenting control implementation details?
Providing detailed information about control implementation ensures clarity and consistency. Organizations should supplement the control baseline with information regarding implementation choices, specific parameters, and procedures. This information is typically documented in system security and privacy plans, ensuring everyone understands how controls are operationalized.
Where can I find more information about NIST SP 800-53B and related publications?
The document “NIST.SP.800-53B.pdf” provides a comprehensive overview of security and privacy control baselines, tailoring guidance, and other related concepts. You can access this publication free of charge from: https://doi.org/10.6028/NIST.SP.800-53B
What should organizations do if existing control information doesn’t offer enough information for implementation?
Organizations should provide additional details for implementation purposes and to ensure that the security and privacy requirements related to that control are satisfied. The additional information may involve refining implementation details or refining the scope. Organizations should not change the intent of the base control or modify the original language.
How are compensating controls used?
When organizations tailor controls out of baselines, they may select compensating controls.Organizations should assess and accept the security and privacy risks associated with implementing compensating controls.
What is the high water mark concept, and how is it employed in NIST SP 800-53B?
The high water mark concept means that because there are many dependencies among confidentiality, integrity, and availability, any compromise in one of those security objectives will likely impact the others.Security controls in NIST SP 800-53B are grouped into baselines instead of being categorized by security objectives. These baselines provide a general protection capability for classes of systems based on impact level.
What happens to withdrawn controls and control enhancements?
Controls and control enhancements that have been withdrawn from the control catalog are marked with a “W.” An explanation for the control or control enhancement disposition is in light gray text.