NIST SP 800-53r2 Chapter 1
THE NEED FOR SECURITY CONTROLS TO PROTECT INFORMATION SYSTEMS
The selection and employment of appropriate security controls for an information system3 are important tasks that can have major implications on the operations4 and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:
- What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
- Have the selected security controls been implemented or is there a realistic plan for their implementation?
- What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective5 in their application?
The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, controls, and mitigates risks to its information and information systems.6 The security controls defined in Special Publication 800-53 (as amended) and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. An effective information security program should include:
- Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization;
- Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level and address information security throughout the life cycle of each organizational information system;
- Plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate;
- Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks;
- Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually;
- A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization;
- Procedures for detecting, reporting, and responding to security incidents; and
- Plans and procedures for continuity of operations for information systems that support the operations and assets of the organization.
It is of paramount importance that responsible officials within the organization understand the risks and other factors that could adversely affect organizational operations, organizational assets, or individuals. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information systems in order to make informed judgments and investments that appropriately mitigate risks to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the organization and to accomplish the organization's stated mission(s) with what the Office of Management and Budget (OMB) Circular A-130 defines as adequate security, or security commensurate with risk, including the magnitude of harm to individuals, the organization, or its assets resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
1.1 PURPOSE AND APPLICABILITY
The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components7 of an information system that process, store, or transmit federal information. The guidelines have been developed to help achieve more secure information systems within the federal government by:
- Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems;
- Providing a recommendation for minimum security controls for information systems categorized in accordance with Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems;
- Providing a stable, yet flexible catalog of security controls for information systems to meet current organizational protection needs and the demands of future protection needs based on changing requirements and technologies; and
- Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness.
The guidelines provided in this special publication are applicable to all federal information systems8 other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542.9 The guidelines have been broadly developed from a technical perspecto complement similar guidelines for national security systems. This publication is intended to provide guidance to federal agencies implementing FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. In addition to the agencies of the federal government, state, local, and tribal governments, and private sector organizations that compose the critical infrastructure of the United States, are encouraged to use these guidelines, as appropriate.
1.2 TARGET AUDIENCE
This publication is intended to serve a diverse federal audience of information system and information security professionals including: (i) individuals with information system and information security management and oversight responsibilities (e.g., chief information officers, senior agency information security officers, and authorizing officials); (ii) individuals with information system development responsibilities (e.g., program and project managers, mission/application owners, system designers, system and application programmers); (iii) individuals with information security implementation and operational responsibilities (e.g., information system owners, information owners, information system administrators, information system security officers,); and (iv) individuals with information system and information security assessment and monitoring responsibilities (e.g., auditors, inspectors general, evaluators, and certification agents). Commercial companies producing information technology products and systems, creating information security-related technologies, and providing information security services can also benefit from the information in this publication.
1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS
To create the most technically sound and broadly applicable set of security controls for information systems, a variety of sources were considered during the development of this special publication. The sources included security controls from the defense, audit, financial, healthcare, and intelligence communities as well as controls defined by national and international standards organizations.10 The objective of NIST Special Publication 800-53 is to provide a set of security controls that is sufficiently rich to satisfy the breadth and depth of security requirements11 levied on information systems and that is consistent with and complementary to other established security standards.
The catalog of security controls provided in Special Publication 800-53 can be effectively used to demonstrate compliance with a variety of governmental, organizational, or institutional security requirements. It is the responsibility of organizations to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying their stated security requirements. The security controls in the catalog facilitate the development of assessment methods and procedures that can be used to demonstrate control effectiveness in a consistent and repeatable manner-thus contributing to the organization's confidence that there is ongoing compliance with its stated security requirements.12
1.4 ORGANIZATIONAL RESPONSIBILITIES
Organizations13 should use FIPS 199 to define security categories for their information systems. This publication associates recommended minimum security controls with FIPS 199 low-impact, moderate-impact, and high-impact security categories. For each information system, the recommendation for minimum security controls from Special Publication 800-53 (i.e., the baseline security controls defined in Appendix D, tailored in accordance with the tailoring guidance in Section 3.3) is intended to be used as a starting point for and input to the organization's risk assessment process.14 The risk assessment results are used to supplement the tailored baseline resulting in a set of agreed-upon controls documented in the security plan for the information system. While the FIPS 199 security categorization associates the operation of the information system with the potential impact on an organization's operations, assets, or individuals, the incorporation of refined threat and vulnerability information during the risk assessment facilitates supplementing the tailored baseline security controls to address organizational needs and tolerance for risk. The final, agreed-upon set of security controls should be documented with appropriate rationale in the security plan for the information system.15
The use of security controls from Special Publication 800-53 and the incorporation of tailored baseline controls as a starting point in the control selection process, facilitates a more consistent level of security across federal information systems. It also offers the needed flexibility to appropriately modify the controls based on specific organizational policy and requirements, particular conditions and circumstances, known threat and vulnerability information, and tolerance for risk to the organization's operations, assets, or to individuals.
Building a more secure information system is a multifaceted undertaking that involves the use of: (i) well-defined system-level security requirements and security specifications; (ii) well-designed information technology products; (iii) sound systems/security engineering principles and practices to effectively integrate information technology products into the information system; (iv) appropriate methods for product/system testing and evaluation; and (v) comprehensive system security planning and life cycle management.16 From a systems engineering viewpoint, security is just one of many required capabilities for an organizational information system-capabilities that must be funded by the organization throughout the life cycle of the system. Realistically assessing the risks to an organization's operations and assets or to individuals by placing the information system into operation or continuing its operation is of utmost importance. Addressing the information system security requirements must be accomplished with full consideration of the risk tolerance of the organization in light of the potential impacts, cost, schedule, and performance issues associated with the acquisition, deployment, and operation of the system.
1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION
The remainder of this special publication is organized as follows:
- Chapter Two describes the fundamental concepts associated with security control selection and specification including: (i) the structural components of security controls and how the controls are organized into families; (ii) minimum (baseline) security controls; (iii) the use of common security controls in support of organization-wide information security programs; (iv) security controls in external environments; (v) assurance in the effectiveness of security controls; and (vi) the commitment to maintain currency of the individual security controls and the control baselines.
- Chapter Three describes the process of selecting and specifying security controls for an information system including: (i) defining the organization's overall approach to managing risk; (ii) categorizing the system in accordance with FIPS 199; (iii) selecting and tailoring the initial set of minimum (baseline) security controls; (iv) supplementing the tailored security control baseline, as necessary, based upon risk assessment results; and (v) updating the controls as part of a comprehensive continuous monitoring process.
- Supporting appendices provide more detailed security control selection and specification-related information including: (i) general references; (ii) definitions and terms; (iii) acronyms; (iv) baseline security controls for low-impact, moderate-impact, and high-impact information systems; (v) minimum assurance requirements; (vi) a master catalog of security controls; (vii) mapping tables relating the security controls in this publication to other standards and control sets; (viii) crosswalks of NIST security standards and guidelines with associated security controls; and (ix) guidance on the application of security controls to industrial control systems.