Doc:NIST SP 800-37r1 Chapter 2

From FISMApedia
Jump to: navigation, search




This chapter describes the basic concepts associated with managing information system-related security risks. These concepts include: (i) incorporating risk management principles and best practices into organization-wide strategic planning considerations, core missions and business processes, and supporting organizational information systems; (ii) integrating information security requirements into system development life cycle processes; (iii) establishing practical and meaningful boundaries for organizational information systems; and (iv) allocating security controls to organizational information systems as system-specific, hybrid, or common controls.


Managing information system-related security risks is a complex, multifaceted undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning and managing projects, to individuals on the front lines developing, implementing, and operating the systems supporting the organization's core missions and business processes. Risk management can be viewed as a holistic activity that is fully integrated into every aspect of the organization. Figure 2-1 illustrates a three-tiered approach to risk management that addresses risk-related concerns at: (i) the organization level; (ii) the mission and business process level; and (iii) the information system level.[1]

File:80037r1 Figure2-1.png

Tier 1 addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy that includes: (i) the techniques and methodologies the organization plans to employ to assess information system-related security risks and other types of risk of concern to the organization;[2] (ii) the methods and procedures the organization plans to use to evaluate the significance of the risks identified during the risk assessment; (iii) the types and extent of risk mitigation measures the organization plans to employ to address identified risks; (iv) the level of risk the organization plans to accept (i.e., risk tolerance); (v) how the organization plans to monitor risk on an ongoing basis given the inevitable changes to organizational information systems and their environments of operation; and (vi) the degree and type of oversight the organization plans to use to ensure that the risk management strategy is being effectively carried out. As part of the overall governance structure established by the organization, the risk management strategy is propagated to organizational officials and contractors with programmatic, planning, developmental, acquisition, operational, and oversight responsibilities, including for example: (i) authorizing officials; (ii) chief information officers; (iii) senior information security officers; (iv) enterprise/information security architects; (v) information system owners/program managers; (vi) information owners/stewards; (vii) information system security officers; (viii) information system security engineers; (ix) information system developers and integrators; (x) system administrators; (xi) contracting officers; and (xii) users.

Tier 2 addresses risk from a mission and business process perspective and is guided by the risk decisions at Tier 1. Tier 2 activities are closely associated with enterprise architecture[3] and include: (i) defining the core missions and business processes for the organization (including any derivative or related missions and business processes carried out by subordinate organizations); (ii) prioritizing missions and business processes with respect to the goals and objectives of the organization; (iii) defining the types of information that the organization needs to successfully execute the stated missions and business processes and the information flows both internal and external to the organization; (iv) developing an organization-wide information protection strategy and incorporating high-level information security requirements[4] into the core missions and business processes; and (v) specifying the degree of autonomy for subordinate organizations (i.e., organizations within the parent organization) that the parent organization permits for assessing, evaluating, mitigating, accepting, and monitoring risk.

Because subordinate organizations responsible for carrying out derivative or related missions and business processes may have already invested in their own methods of assessing, evaluating, mitigating, accepting and monitoring risk, parent organizations may allow a greater degree of autonomy within parts of the organization or across the entire organization in order to minimize costs. When a diversity of risk assessment methods is allowed, organizations may choose to employ when feasible, some means of translation and/or synthesis of the risk-related information to ensure that the output of the different risk assessment activities can be correlated in a meaningful manner.

Tier 3 addresses risk from an information system perspective and is guided by the risk decisions at Tiers 1 and 2. Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of needed safeguards and countermeasures (i.e., security controls) at the information system level. Information security requirements are satisfied by the selection of appropriate management, operational, and technical security controls from NIST Special Publication 800-53.[5] The security controls are subsequently allocated to the various components of the information system as system-specific, hybrid, or common controls in accordance with the information security architecture developed by the organization.[6] Security controls are typically traceable to the security requirements established by the organization to ensure that the requirements are fully addressed during design, development, and implementation of the information system. Security controls can be provided by the organization or by an external provider. Relationships with external providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain arrangements.[7]

Risk management tasks begin early in the system development life cycle and are important in shaping the security capabilities of the information system. If these tasks are not adequately performed during the initiation, development, and acquisition phases of the system development life cycle, the tasks will, by necessity, be undertaken later in the life cycle and be more costly to implement. In either situation, all tasks are completed prior to placing the information system into operation or continuing its operation to ensure that: (i) information system-related security risks are being adequately addressed on an ongoing basis; and (ii) the authorizing official explicitly understands and accepts the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of a defined set of security controls and the current security state of the information system.

The Risk Management Framework (RMF), illustrated in Figure 2-2, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. The RMF operates primarily at Tier 3 in the risk management hierarchy but can also have interactions at Tiers 1 and 2 (e.g., providing feedback from ongoing authorization decisions to the risk executive [function], dissemination of updated threat and risk information to authorizing officials and information system owners). The RMF steps include:

  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.[8]
  • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.[9]
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
  • Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

Chapter Three provides a detailed description of each of the specific tasks necessary to carry out the six steps in the RMF.

File:80037r1 Figure2-2.png

In summary, there is a significant degree of flexibility in how organizations employ the risk management processes described above. While it is convenient to portray the risk management approach in Figure 2-1 as hierarchical, the reality of project and organization dynamics can be much more complex. The organizational management style may be at one or more points on the continuum from top-down command to consensus among peers. For risk management to succeed at all levels of the organization, the organization must have a consistent and effective approach to risk management that is applied to all risk management processes and procedures. Organizational officials identify the resources necessary to complete the risk management tasks described in this publication and ensure that those resources are made available to appropriate personnel. Resource allocation includes both funding to carry out the risk management tasks and assigning qualified personnel needed to accomplish the tasks.[10]


All federal information systems, including operational systems, systems under development, and systems undergoing modification or upgrade, are in some phase of a system development life cycle.[11] Requirements definition is a critical part of any system development process and begins very early in the life cycle, typically in the initiation phase.[12] Security requirements are a subset of the overall functional and nonfunctional (e.g., quality, assurance) requirements levied on an information system and are incorporated into the system development life cycle simultaneously with the functional and nonfunctional requirements. Without the early integration of security requirements, significant expense may be incurred by the organization later in the life cycle to address security considerations that could have been included in the initial design. When security requirements are considered as an integral subset of other information system requirements, the resulting system has fewer weaknesses and deficiencies, and therefore, fewer vulnerabilities that can be exploited in the future.

Early integration of information security requirements into the system development life cycle is the most cost-effective and efficient method for an organization to ensure that its protection strategy is implemented. It also ensures that information security processes are not isolated from the other routine management processes employed by the organization to develop, implement, operate, and maintain information systems supporting ongoing missions and business functions. In addition to incorporating information security requirements into the system development life cycle, security requirements are also integrated into the program, planning, and budgeting activities within the organization to ensure that resources are available when needed and program/project milestones are completed. The enterprise architecture provides a central record of this integration within an organization.

Ensuring that information security requirements are integrated into the organization's system development life cycle processes regardless of the type of life cycle processes employed, helps facilitate development and implementation of more resilient information systems to reduce risk to organizational operations and assets, individuals, other organizations, and the Nation. This can be accomplished using the well-established concept of integrated project teams.[13] A responsible organizational official (e.g., agency head, mission or business owner, integrated project team leader, program manager, information system owner, authorizing official) ensures that security professionals are an integral part of any information system development activities from the initial definition of information security requirements at Tier 1 and Tier 2 to the selection of security controls at Tier 3. Such consideration is used to foster close cooperation among personnel responsible for the design, development, implementation, operation, maintenance, and disposition of information systems and the information security professionals advising the senior leadership on appropriate security controls needed to adequately mitigate risk and protect critical missions and business functions.

Finally, organizations maximize the use of security-relevant information (e.g., assessment results, information system documentation, and other artifacts) generated during the system development life cycle to satisfy requirements for similar information needed for information security-related purposes. Similar security-relevant information concerning common controls, including security controls provided by external providers, is factored into the organization's risk management process. The judicious reuse of security-relevant information by organizations is an effective method to help eliminate duplication of effort, reduce documentation, promote reciprocity, and avoid unnecessary costs that may result when security activities are conducted independently of system development life cycle processes. In addition, reuse promotes greater consistency of information used in the design, development, implementation, operation, maintenance, and disposition of an information system including security-related considerations.


One of the most challenging problems for information system owners, authorizing officials, chief information officers, senior information security officers, and information security architects is identifying appropriate boundaries for organizational information systems.[14] Well-defined boundaries establish the scope of protection for organizational information systems (i.e., what the organization agrees to protect under its direct management control or within the scope of its responsibilities) and include the people, processes, and information technologies that are part of the systems supporting the organization's missions and business processes. Information system boundaries are established in coordination with the security categorization process and before the development of security plans. Information system boundaries that are too expansive (i.e., too many system components and/or unnecessary architectural complexity) make the risk management process extremely unwieldy and complex. Boundaries that are too limited increase the number of information systems that must be separately managed and as a consequence, unnecessarily inflate the total information security costs for the organization. The following sections provide general guidelines to assist organizations in establishing appropriate system boundaries to achieve cost-effective solutions for managing information security-related risks from the operation and use of information systems.

2.3.1 Establishing Information System Boundaries

The set of information resources[15] allocated to an information system defines the boundary for that system. Organizations have significant flexibility in determining what constitutes an information system and its associated boundary. If a set of information resources is identified as an information system, the resources are generally under the same direct management control.[16]

Direct management control does not necessarily imply that there is no intervening management. It is also possible for multiple information systems to be considered as independent subsystems[17] of a more complex information system. This situation may arise in many organizations when smaller information systems are coalesced for purposes of risk management into a larger, more comprehensive system. On a larger scale, an organization may develop a system of systems involving multiple independent information systems (possibly distributed across a widespread geographic area) supporting a set of common missions and/or business functions.[18] In addition to consideration of direct management control, it may also be helpful for organizations to determine if the information resources being identified as an information system:

  • Support the same mission/business objectives or functions and essentially the same operating characteristics and information security requirements; and
  • Reside in the same general operating environment (or in the case of a distributed information system, reside in various locations with similar operating environments).[19]

Since commonality can change over time, this determination is revisited periodically as part of a continuous monitoring process carried out by the organization (see Section 3.6). While the above considerations may be useful to organizations in determining information system boundaries for purposes of risk management, they are not viewed as limiting the organization's flexibility in establishing commonsense boundaries that promote effective information security within the available resources of the organization. Information system owners consult with authorizing officials, chief information officers, senior information security officers, information security architects, and the risk executive (function)[20] when establishing or changing system boundaries. The process of establishing information system boundaries and the associated risk management implications is an organization-wide activity that includes careful negotiation among all key participants—taking into account mission and business requirements, technical considerations with respect to information security, and programmatic costs to the organization.

Software applications (e.g., database applications, Web applications) hosted by an information system are included in the risk management process since application security is critical to the overall security of the system.[21] Software applications depend on the resources provided by the hosting information system and as such, can take advantage of (i.e., leverage) the security controls provided by the system to help provide a foundational level of protection for the hosted applications, when this type of inheritance is applicable. Additional application-level security controls are provided by the respective software applications, as needed. Organizations ensure that all security controls, including application-level controls employed in separate software applications, are managed and tracked on an ongoing basis. Application owners coordinate with information system owners to ensure that information security and risk management activities are carried out as seamlessly as possible among applications and hosting systems. This coordination includes, for example, consideration for: (i) the selection, implementation, assessment, and monitoring of security controls for hosted applications; (ii) the effects of changes to hosted applications on the overall security state of the information system and the missions and business processes supported by that system; and (iii) the effects of changes to the information system on hosted applications. Employing strong configuration management and control processes within software applications and the hosting information system, and reusing security control assessment results helps to provide the necessary protection for applications.

Security controls provided by the hosted software application are documented in the security plan for the hosting information system and assessed for effectiveness during the risk management process (i.e., during the initial authorization of the information system and subsequently, during the continuous monitoring process). Application-level security controls are also assessed for effectiveness if the applications are added after the hosting information system is authorized to operate. Information system owners take appropriate measures to ensure that hosted applications do not affect the security state of the hosting system and obtain the necessary information from application owners to conduct security impact analyses, when needed.

2.3.2 Boundaries for Complex Information Systems

The application of security controls within a complex information system can present significant challenges to an organization. From a centralized development, implementation, and operations perspective, the information system owner, in collaboration with the authorizing official, senior information security officer, information security architect, and information system security engineer, examines the purpose of the information system and considers the feasibility of decomposing the complex system into more manageable subsystems. From a distributed development, implementation, and operations perspective, the organization recognizes that multiple entities, possibly operating under different policies, may be contributing to the development, implementation, and/or operations of the subsystems that compose the complex information system. In such a scenario, the organization is responsible for ensuring that these separate subsystems can work together in both a secure and functional manner. Treating an information system as multiple subsystems, each with its own subsystem boundary, facilitates a more targeted application of security controls to achieve adequate security and a more cost-effective risk management process. Knowledge of the security properties of individual subsystems does not necessarily provide the complete knowledge of the security properties of the complex information system. The organization applies best practices in systems and security engineering and documents the decomposition of the information system in the security plan.

Information security architecture plays a key part in the security control selection and allocation process for a complex information system. This includes monitoring and controlling communications at key internal boundaries among subsystems and providing system-wide common controls (see Section 2.4) that meet or exceed the requirements of the constituent subsystems inheriting those system-wide common controls. One approach to security control selection and allocation is to categorize each identified subsystem (including dynamic subsystems as described in Section 2.3.3). Separately categorizing each subsystem does not change the overall categorization of the information system. Rather, it allows the subsystems to receive a separate and more targeted allocation of security controls from NIST Special Publication 800-53 instead of deploying higher-impact controls across every subsystem. Another approach is to bundle smaller subsystems into larger subsystems within the overall complex information system, categorize each of the aggregated subsystems, and allocate security controls to the subsystems, as needed. While subsystems within complex information systems may exist as complete systems, the subsystems are, in most cases, not treated as independent entities because they are typically interdependent and interconnected.

When the results of security categorizations for the identified subsystems are different, the organization carefully examines the interfaces, information flows, and security-relevant dependencies[22] among subsystems and selects security controls for the interconnection of the subsystems to eliminate or reduce potential vulnerabilities in this area. This helps to ensure that the information system is adequately protected.[23] Security controls for the interconnection of subsystems are also employed when the subsystems implement different security policies or are administered by different authorities. The extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the complex information system, can be determined by combining security control assessments at the subsystem level and adding system-level considerations addressing interface issues among subsystems. This approach facilitates a more targeted and cost-effective risk management process by scaling the level of effort of the assessment in accordance with the subsystem security categorization and allowing for reuse of assessment results at the information system level. Figure 2-3 illustrates the concept of decomposition for a complex information system.

File:80037r1 Figure2-3.png

In the above example, an information system contains a system guard that monitors the flow of information between two local area networks. The information system can be partitioned into multiple subsystems: (i) local area network one; (ii) local area network two; (iii) the system guard separating the two networks; and (iv) several dynamic subsystems that become part of the system at various points in time (see Section 2.3.3). Each subsystem within the information system may be categorized individually. The security categorization of the information system as a whole is not changed by taking into consideration all of the individual subsystem categorizations. When all subsystems within the complex information system have completed an initial security control assessment, the organization takes additional measures to ensure that: (i) security controls not included in the subsystem assessments are assessed for effectiveness; and (ii) the subsystems work together in a manner that meets the security requirements of the information system.[24]

2.3.3 Changing Technologies and the Effect on Information System Boundaries

Changes to current information technologies and computing paradigms add complications to the traditional tasks of establishing information system boundaries and protecting the missions and business processes supported by organizational information systems. In particular, net-centric architectures[25] (e.g., service-oriented architectures [SOAs], cloud computing) introduce two important concepts: (i) dynamic subsystems; and (ii) external subsystems. While the concepts of dynamic subsystems and external subsystems (described in the following sections) are not new, the pervasiveness and frequency of their invocation in net-centric architectures can present organizations with significant new challenges.

Dynamic Subsystems

For many information systems, the determination of subsystems is established at system initiation and maintained throughout the life cycle of the system. However, there are some instances, most notably in net-centric architectures, where the subsystems that compose the system may not be present at all stages of the life cycle. Some subsystems may not become part of an information system until sometime after system initiation, while other subsystems may leave the system sometime prior to system termination. Generally, this will not impact the external boundary of the information system if the dynamic subsystems are in the system design and the appropriate security controls are reflected in the security plan. But it does impact the subsystems that exist within the boundary at any given point in time.

Dynamic subsystems that become part of an organizational information system at various points in time may or may not be under the direct control of the organization. These subsystems may be provided by external providers (e.g., through contracts, interagency agreements, lines of business arrangements, licensing agreements, and/or supply chain arrangements). Regardless of whether the subsystem is or is not controlled by the organization, the expectations of its capabilities have to be considered. The dynamic inclusion or exclusion of the subsystems may or may not require reassessment of the information system as a whole. This is determined based on constraints and assumptions (e.g., functions the subsystems perform, connections to other subsystems and other information systems) imposed upon the subsystems at system design and incorporated in the security plan. So long as the subsystems conform to the identified constraints and assumptions, they can be dynamically added or removed from the information system without requiring reassessments of the entire system.

As noted above, the assumptions and constraints on the dynamic subsystems are reflected in the information system design and the security plan. The determination as to whether the subsystems conform to the assumptions and constraints is addressed during the continuous monitoring phase of the risk management process. Depending upon the nature of the subsystems (including the functions, connections, and relative trust relationships established with the subsystem providers), the determination of conformance may be performed in a manual or automated manner, and may occur prior to, or during the subsystem connecting/disconnecting to the information system.

External Subsystems

Another characteristic often apparent in net-centric architectures is that some of the subsystems (or components of subsystems)[26] are outside of the direct control of the organization that owns the information system and authorizes its operation. The nature of such external subsystems can vary from organizations employing external cloud computing services to process, store, and transmit information to organizations allowing platforms under their control to host applications/services developed by some external entity.

As noted in Appendix I (Security Controls in External Environments), FISMA and OMB policy require external providers handling federal information or operating information systems on behalf of the federal government to meet the same security requirements as federal agencies. These security requirements also apply to external subsystems storing, processing, or transmitting federal information and any services provided by or associated with the subsystem. Appendix I further notes that the assurance or confidence that the risk from using external services is at an acceptable level depends on the trust that the organization places in the external service provider. In some cases, the level of trust is based on the amount of direct control the organization is able to exert on the external service provider with regard to employment of security controls necessary for the protection of the service and the evidence brought forth as to the effectiveness of those controls. In other instances, trust may be based on other factors, such as the experience the organization has with the external service provider, and the confidence (trust) the organization has in the provider taking the correct actions. There are a variety of factors that can complicate the level of trust issue in the case of net-centric architectures to include:

  • The delineation between what is owned by the external entity and the organization may be somewhat blurred (e.g., organization-owned platform executing external entity-developed service/application software or firmware);
  • The degree of control the organization has over the external entity providing/supporting the subsystems/services may be very limited;
  • The nature and content of the subsystems may be subject to rapid change; and
  • The subsystems/services may be of such critical nature that they need to be incorporated into organizational information systems very rapidly.

The consequence of the factors above is that some of the more traditional means of verifying the correct functioning of a subsystem and the effectiveness of security controls (e.g., clearly defined requirements, design analysis, testing and evaluation before deployment) may not be feasible for a net-centric subsystem/service. As a result, organizations may be left to depend upon the nature of the trust relationships with the suppliers of the net-centric subsystems/services as the basis for determining whether or not to allow/include the subsystems/services (e.g., use of GSA list of approved providers). Alternatively, organizations may allow such subsystems/services to be used only in those instances where they have constrained the nature of information or process flow such that the organization believes that any potential adverse impact is manageable. Ultimately, when the level of trust in the external provider of subsystems/services is below expectations, the organization: (i) employs compensating controls; (ii) accepts a greater degree of risk; or (iii) does not obtain the service (i.e., performs its core missions and business operations with reduced levels of functionality or possibly no functionality at all).


There are three types of security controls for information systems that can be employed by an organization: (i) system-specific controls (i.e., controls that provide a security capability for a particular information system only); (ii) common controls (i.e., controls that provide a security capability for multiple information systems); or (iii) hybrid controls (i.e., controls that have both system-specific and common characteristics).[27] The organization allocates security controls to an information system consistent with the organization's enterprise architecture and information security architecture.[28] This activity is carried out as an organization-wide activity involving authorizing officials, information system owners, chief information security officer, senior information security officer, enterprise architect, information security architect, information system security officers, common control providers, and risk executive (function).

As part of the information security architecture, organizations are encouraged to identify and implement security controls that can support multiple information systems efficiently and effectively as a common capability (i.e., common controls). When these controls are used to support a specific information system, they are referenced by that specific system as inherited controls. Common controls promote more cost-effective and consistent information security across the organization and can also simplify risk management activities. By allocating security controls to an information system as system-specific controls, hybrid controls, or common controls, the organization assigns responsibility and accountability to specific organizational entities for the overall development, implementation, assessment, authorization, and monitoring of those controls.

The organization has significant flexibility in deciding which families of security controls or specific controls from selected families in NIST Special Publication 800-53 are appropriate for the different types of allocations. Since the security control allocation process involves the assignment and provision of security capabilities derived from security controls, the organization ensures that there is effective communication among all entities either receiving or providing such capabilities. This communication includes, for example, ensuring that common control authorization results and continuous monitoring information are readily available to those organizational entities inheriting common controls, and that any changes to common controls are effectively communicated to those affected by such changes.[29] Figure 2-4 illustrates security control allocation within an organization and using the RMF to produce information for senior leaders (including authorizing officials) on the ongoing security state of organizational information systems and the missions and business processes supported by those systems.

File:80037r1 Figure2-4.png


  1. 15 NIST Special Publication 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View (projected for publication in 2010), will provide guidance on the holistic approach to risk management.
  2. 16 Types of risk include, for example: (i) program/acquisition risk (cost, schedule, performance); (ii) compliance and regulatory risk; (iii) financial risk; (iv) legal risk; (v) operational (mission/business) risk; (vi) political risk; (vii) project risk; (viii) reputational risk; (ix) safety risk; (x) strategic planning risk; and (xi) supply chain risk.
  3. 17 Federal Enterprise Architecture Reference Models and Segment and Solution Architectures are defined in the OMB Federal Enterprise Architecture (FEA) Program, FEA Consolidated Reference Model Document, Version 2.3, October 2003 and OMB Federal Segment Architecture Methodology (FSAM), January 2009, respectively.
  4. 18 Information security requirements can be obtained from a variety of sources (e.g., legislation, policies, directives, regulations, standards, and organizational mission/business/operational requirements). Organization-level security requirements are documented in the information security program plan or equivalent document.
  5. 19 The RMF categorization step, including consideration of legislation, policies, directives, regulations, standards, and organizational mission/business/operational requirements, facilitates the identification of security requirements.
  6. 20 The allocation of security controls can take place at all three tiers in the risk management hierarchy. For example, security controls that are identified as common controls may be allocated at the organization, mission/business process, or information system level. See Section 2.4 for additional information on security control allocation.
  7. 21 Appendix I provides additional guidance regarding external service providers and the provision of security controls in external environments.
  8. 22 FIPS 199 provides security categorization guidance for nonnational security systems. CNSS Instruction 1253 provides similar guidance for national security systems.
  9. 23 NIST Special Publication 800-53 provides security control selection guidance for nonnational security systems. CNSS Instruction 1253 provides similar guidance for national security systems.
  10. 24 Resource requirements include funding for training organizational personnel to ensure that they can effectively carry out their assigned responsibilities.
  11. 25 There are typically five phases in a generic system development life cycle including: (i) initiation; (ii) development/acquisition; (iii) implementation; (iv) operation/maintenance; and (v) disposal.
  12. 26 Organizations may employ a variety of system development life cycle processes including, for example, waterfall, spiral, or agile development.
  13. 27 Integrated project teams are multidisciplinary entities consisting of a number of individuals with a range of skills and roles to help facilitate the development of information systems that meet the requirements of the organization.
  14. 28 With regard to the risk management process and information security, the term information system boundary is synonymous with authorization boundary.
  15. 29 Information resources consist of information and related resources including personnel, equipment, funds, and information technology.
  16. 30 For information systems, direct management control involves budgetary, programmatic, or operational authority and associated responsibility and accountability.
  17. 31 A subsystem is a major subdivision of an information system consisting of information, information technology, and personnel that perform one or more specific functions.
  18. 32 The National Airspace System (NAS) operated by the Federal Aviation Administration (FAA) is an example of a system of systems.
  19. 33 Similarity of operating environments includes, for example, consideration of threat, policy, and management.
  20. 34 The roles and responsibilities of the risk executive (function) are described in Appendix D.
  21. 35 Software applications and information systems hosting the applications may be owned by different organizations.
  22. 36 Subsystem interfaces include ports and protocols. Information flows address information transmitted between subsystems. Security-relevant dependencies refer to security functions/services (e.g., encryption, auditing), performed by one subsystem that are required by one or more of the other subsystems.
  23. 37 The types of interfaces and couplings among subsystems may introduce inadvertent weaknesses and vulnerabilities in a complex information system. For example, if a large organizational intranet is decomposed by enterprise services into smaller subsystems (e.g., severable subsystems such as local area network segments) and subsequently categorized individually, the specific protections at the subsystem level may allow a vector of attack against the intranet by erroneously selecting and implementing security controls that are not sufficiently strong with respect to the rest of the system. To avoid this situation, organizations carefully examine the interfaces among subsystems and take appropriate actions to eliminate potential vulnerabilities in this area, thus helping to ensure that the information system is adequately protected.
  24. 38 The organization can: (i) issue a single authorization for the entire complex information system (to include bundling assessment results from individual subsystem assessments and any additional assessment results at the system level); or (ii) implement a strategy for managing the risk associated with connecting separately authorized information systems when viewed as a system of systems.
  25. 39 A net-centric architecture is a complex system of systems comprised of subsystems and services that are part of a continuously evolving, complex community of people, devices, information, and services interconnected by a network that enhances information sharing and collaboration. A service-oriented architecture (SOA) is an example of a net-centric architecture.
  26. 40 In this context, the term subsystem includes the services provided by or associated with that subsystem.
  27. 41 NIST Special Publication 800-53 provides additional guidance on security controls for information systems.
  28. 42 Allocation is a term used to describe the process an organization employs: (i) to determine whether security controls are defined as system-specific, hybrid, or common; and (ii) to assign security controls to specific information system components responsible for providing a particular security capability (e.g., router, server, remote sensor).
  29. 43 Communication regarding the security status of common (inherited) controls is essential irrespective of whether the common control provider is internal or external to the organization. Appendix I provides guidance for organizations relying on security controls in external environments including the types of contractual agreements and arrangements that are necessary to ensure appropriate security-relevant information is conveyed to the organization from external providers.