NIST SP 800-53r2 Chapter 2
SECURITY CONTROL STRUCTURE, ORGANIZATION, BASELINES, AND ASSURANCE
This chapter presents the fundamental concepts associated with security control selection and specification including: (i) the structure of security controls and the organization of the controls in the control catalog; (ii) security control baselines; (iii) the identification and use of common security controls; (iv) security controls in external environments; (v) security control assurance; and (vi) future revisions to the security controls, the control catalog, and baseline controls.
2.1 SECURITY CONTROL ORGANIZATION AND STRUCTURE
Security controls in the security control catalog (Appendix F) have a well-defined organization and structure. The security controls are organized into classes and families for ease of use in the control selection and specification process. There are three general classes of security controls (i.e., management, operational, and technical) and seventeen security control families.17 Each family contains security controls related to the security functionality of the family. A two-character identifier is assigned to uniquely identify each control family. Table 1 summarizes the classes and families in the security control catalog and the associated family identifiers.
|AT||Awareness and Training||Operational|
|AU||Audit and Accountability||Technical|
|CA||Certification, Accreditation, and Security Assessments||Management|
|IA||Identification and Authentication||Technical|
|PE||Physical and Environmental Protection||Operational|
|SA||System and Services Acquisition||Management|
|SC||System and Communications Protection||Technical|
|SI||System and Information Integrity||Operational|
To uniquely identify each control, a numeric identifier is appended to the family identifier to indicate the number of the control within the control family. For example, CP-9 is the ninth control in the Contingency Planning family.
The security control structure consists of three key components: (i) a control section; (ii) a supplemental guidance section; and (iii) a control enhancements section.18 The following example from the Auditing and Accountability family illustrates the structure of a typical security control.
AU-2 AUDITABLE EVENTS
- Supplemental Guidance: The purpose of this control is to identify important events which need to be audited as significant and relevant to the security of the information system. The organization specifies which information system components carry out auditing activities. Auditing activity can affect information system performance. Therefore, the organization decides, based upon a risk assessment, which events require auditing on a continuous basis and which events require auditing in response to specific situations. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the right level of abstraction for audit record generation is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Additionally, the security audit function is coordinated with the network health and status monitoring function to enhance the mutual support between the two functions by the selection of information to be recorded by each function. The checklists and configuration guides at http://csrc.nist.gov/pcig/cig.html provide recommended lists of auditable events. The organization defines auditable events that are adequate to support after-the-fact investigations of security incidents. NIST Special Publication 800-92 provides guidance on computer security log management.
- Control Enhancements:
- (2) The information system provides the capability to manage the selection of events to be audited by individual components of the system.
- (3) The organization periodically reviews and updates the list of organization-defined auditable events.
|LOW AU-2||MOD AU-2 (3)||HIGH AU-2 (1) (2) (3)|
The control section provides a concise statement of the specific security capability needed to protect a particular aspect of an information system. The control statement describes specific security-related activities or actions to be carried out by the organization or by the information system. For some controls in the control catalog, a degree of flexibility is provided by allowing organizations to selectively define input values for certain parameters associated with the controls. This flexibility is achieved through the use of assignment and selection operations within the main body of the control. Assignment and selection operations provide an opportunity for an organization to tailor the security controls to support specific mission, business, or operational needs. For example, an organization can specify the specific events to be audited. Once specified, the organization-defined value becomes part of the control, and the organization is assessed against the completed control statement. Some assignment operations may specify minimum or maximum values that constrain the values that may be input by the organization. Selection statements also narrow the potential input values by providing a specific list of items from which the organization must choose.
The supplemental guidance section provides additional information related to a specific security control. Organizations are expected to apply the supplemental guidance as appropriate, when defining, developing, and implementing security controls. In certain instances, the supplemental guidance provides more detail concerning the control requirements or important considerations (and the needed flexibility) for implementing security controls in the context of an organization's operational environment, specific mission requirements, or assessment of risk. In addition, applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance documents (e.g., OMB Circulars, FIPS, and NIST Special Publications) are listed in the supplemental guidance section, when appropriate, for the particular security control.
The control enhancements section provides statements of security capability to: (i) build in additional, but related, functionality to a basic control; and/or (ii) increase the strength of a basic control. In both cases, the control enhancements are used in an information system requiring greater protection due to the potential impact of loss or when organizations seek additions to a basic control's functionality based on the results of a risk assessment. Control enhancements are numbered sequentially within each control so that the enhancements can be easily identified when selected to supplement the basic control. In the example above, if all three control enhancements are selected, the control designation subsequently becomes AU-2 (1) (2) (3). The numerical designation of a security control enhancement is used only to identify a particular enhancement within the control structure. The designation is neither indicative of the relative strength of the control enhancement nor assumes any hierarchical relationship among enhancements. In the above example, enhancement (3) is used before (1) and (2) since that enhancement is appropriate at a lower level than the other two. This type of situation arises from the decision to enhance control stability in the face of change by not renumbering existing enhancements when new ones are added or when decisions about placement within baselines change.
2.2 SECURITY CONTROL BASELINES
Organizations are required to employ security controls to meet security requirements defined by applicable laws, Executive Orders, directives, policies, standards, or regulations (e.g., Federal Information Security Management Act, OMB Circular A-130, Appendix III). The challenge for organizations is to determine the appropriate set of security controls, which if implemented and determined to be effective in their application, would most cost-effectively comply with the stated security requirements.19 Selecting the appropriate set of security controls to meet the specific, and sometimes unique, security requirements of an organization is an important task-a task that demonstrates the organization's commitment to security and the due diligence exercised in protecting the confidentiality, integrity, and availability of their information and information systems.
To assist organizations in making the appropriate selection of security controls for their information systems, the concept of baseline controls is introduced. Baseline controls are the minimum security controls recommended for an information system based on the system's security categorization in accordance with FIPS 199.20 The tailored security control baseline (i.e., the appropriate control baseline from Appendix D tailored in accordance with the guidancin Section 3.3) serves as the starting point for organizations in determining the appropriatsafeguards and countermeasures necessary to protect their information systems. Because the baselines are intended to be broadly applicable starting points, supplements to the tailored baselines (see Section 3.4) will likely be necessary in order to achieve adequate risk mitigation. The tailored baselines are supplemented based on organizational assessments of risk and the resulting controls documented in the security plans for the information systems.
Appendix D provides a listing of baseline security controls. Three sets of baseline controls have been identified corresponding to the low-impact, moderate-impact, and high-impact levels defined in the security categorization process in FIPS 199 and derived in Section 3.2. Each of the three baselines provides an initial set of security controls for a particular impact level associated with a security category.21 Appendix F provides the complete catalog of security controls for information systems, arranged by control families. The catalog represents the entire set of security controls defined at this time. Chapter 3 provides additional information on how to use security categories to select the appropriate set of baseline security controls, how to apply the tailoring guidance to the baseline controls, and how to supplement the tailored baseline in order to achieve adequate risk mitigation.
|Since the baseline security controls represent the minimum controls for low-impact, moderate-impact, and high-impact information systems, respectively, there are additional controls and control enhancements that appear in the catalog that are found in only higher-impact baselines or not used in any of the baselines. These additional security controls and control enhancements for the information system are available to organizations and can be used in supplementing the tailored baselines to achieve the needed level of protection in accordance with an organizational assessment of risk. Moreover, security controls and control enhancements contained in higher-level baselines can also be used by organizations to strengthen the level of protection provided in lower-level baselines, if deemed appropriate. At the end of the security control selection and specification process, the agreed-upon set of security controls documented in the security plan, must be sufficient to provide adequate security for the organization and mitigate risks to its operations, assets, and individuals.|
2.3 COMMON SECURITY CONTROLS
An organization-wide view of an information security program facilitates the identification of common security controls that can be applied to one or more organizational information systems. Common security controls can apply to: (i) all organizational information systems; (ii) a group of information systems at a specific site; or (iii) common information systems, subsystems, or applications (i.e., common hardware, software, and/or firmware) deployed at multiple operational sites. Common security controls have the following properties:
- The development, implementation, and assessment of common security controls can be assigned to responsible organizational officials or organizational elements (other than the information system owners whose systems will implement or use the common security controls); and
- The results from the assessment of the common security controls can be used to support the security certification and accreditation processes of organizational information systems where the controls have been applied.22
The identification of common security controls is most effectively accomplished as an organization-wide exercise with the involvement of the chief information officer, senior agency information security officer, authorizing officials, information system owners/program managers, information owners, and information system security officers. The organization-wide exercise considers the categories of information systems within the organization in accordance with FIPS 199 (i.e., low-impact, moderate-impact, or high-impact information systems) and the minimum security controls necessary to protect the operations and assets supported by those systems (see baseline security controls in Section 2.2). For example, common security controls can be identified for all low-impact information systems by considering the baseline security controls for that category of information system. Similar exercises can be conducted for moderate-impact and high-impact systems as well.
Many of the security controls needed to protect an information system (e.g., contingency planning controls, incident response controls, security training and awareness controls, personnel security controls, physical and environmental protection controls, and intrusion detection controls) may be excellent candidates for common security control status. By centrally managing the development, implementation, and assessment of the common security controls designated by the organization, security costs can be amortized across multiple information systems. Security controls not designated as common controls are considered system-specific controls and are the responsibility of the information system owner. Security plans for individual information systems should clearly identify which security controls have been designated by the organization as common security controls and which controls have been designated as system-specific controls.
Organizations may also assign a hybrid status to security controls in situations where one part of the control is deemed to be common, while another part of the control is deemed to be system-specific. For example, an organization may view the IR-1 (Incident Response Policy and Procedures) security control as a hybrid control with the policy portion of the control deemed to be common and the procedures portion of the control deemed to be system-specific. Hybrid controls may also serve as templates for further control refinement. An organization may choose, for example, to implement the CP-2 (Contingency Planning) security control as a master template for a generalized contingency plan for all organizational information systems with individual information system owners tailoring the plan, where appropriate, for system-specific issues.
Information system owners are responsible for any system-specific issues associated with the implementation of an organization's common security controls. These issues are identified and described in the system security plans for the individual information systems. The senior agency information security officer, acting on behalf of the chief information officer, should coordinate with organizational officials (e.g., facilities managers, site managers, personnel managers) responsible for the development and implementation of the designated common security controls to ensure that the required controls are put into place, the controls are assessed, and the assessment results are shared with the appropriate information system owners to better support the security accreditation process.
Partitioning security controls into common controls and system-specific controls can result in significant savings to the organization in development and implementation costs especially when the common controls serve multiple information systems and entities. It can also result in a more consistent application of the security controls across the organization at large. Moreover, equally significant savings can be realized in the security certification and accreditation process. Rather than assessing common security controls in every information system, the certification process draws upon any applicable results from the most current assessment of the common security controls performed at the organization level. An organization-wide approach to reuse and sharing of assessment results can greatly enhance the efficiency of the security certifications and accreditations being conducted by organizations and significantly reduce security program costs.
While the concept of security control partitioning into common security controls and system-specific controls is straightforward and intuitive, the application of this principle within an organization takes planning, coordination, and perseverance. If an organization is just beginning to implement this approach or has only partially implemented this approach, it may take some time to get the maximum benefits from security control partitioning and the associated reuse of assessment evidence. Because of the potential dependence on common security controls by many of an organization's information systems, a failure of such common controls may result in a significant increase in agency-level risk-risk that arises from the operation of the systems that depend on these controls.
|The FIPS 199 security categorization process and the selection of common security controls are closely related activities that are most effectively accomplished on an organization-wide basis with the involvement of the organization's senior leadership (i.e., authorizing officials, chief information officer, senior agency information security officer, information system owners, and mission/information owners). These individuals have the collective corporate knowledge to understand the organization's priorities, the importance of the organization's operations (including mission, functions, image, and reputation) and assets, and the relative importance of the organizational information systems that support those operations and assets. The organization's senior leaders are also in the best position to select the common security controls for each of the security control baselines and assign organizational responsibilities for developing, implementing, and assessing those controls.|
2.4 SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS
Organizations are becoming increasingly reliant on information system services provided by external service providers to carry out important missions and functions. External information system services are services that are implemented outside of the system's accreditation boundary (i.e., services that are used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business23 arrangements), licensing agreements, and/or supply chain exchanges. The growing dependence on external service providers and new relationships being forged with those providers present new and difficult challenges for the organization, especially in the area of information system security. These challenges include, but are not limited to: (i) defining the types of external services provided to the organization;24 (ii) describing how the external services are protected in accordance with the security requirements of the organization; and (iii) obtaining the necessary assurances that the risk to the organization's operations and assets, and to individuals, arising from the use of the external services is at an acceptable level.
The assurance or confidence that the risk to the organization's operations, assets, and individuals is at an acceptable level depends on the trust25 that the authorizing official places in the external service provider. In some cases, the level of trust is based on the amount of direct control the authorizing official is able to exert on the external service provider with regard to the employment of appropriate security controls necessary for the protection of the service and the evidence brought forth as to the effectiveness of those controls. The level of control is usually established by the terms and conditions of the contract or service-level agreement with the external service provider and can range from extensive (e.g., negotiating a contract or agreement that specifies detailed security control requirements for the provider26) to very limited (e.g., using a contract or service-level agreement to obtain commodity services27 such as commercial telecommunications services). In other cases, the level of trust is derived from other factors that convince the authorizing official that the requisite security controls have been employed and that a credible determination of control effectiveness exists. For example, a separately accredited external information system service provided to a federal agency through a line of business relationship may provide a degree of trust in the external service within the tolerable risk range of the authorizing official.
Ultimately, the responsibility for adequately mitigating risks to the organization's operations and assets, and to individuals, arising from the use of external information system services remains with the authorizing official. Authorizing officials must require that an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information system security. For services external to the organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating service provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the organization. The chain of trust can be very complicated due to the number of entities participating in the consumer-provider relationship and the type of relationship between the parties. External service providers may also in turn outsource the services to other external entities, making the chain of trust even more complicated and difficult to manage. Depending on the nature of the service, it may simply be unwise for the organization to wholly trust the provider-not due to any inherent untrustworthiness on the provider's part, but due to the intrinsic level of risk in the service. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization employs compensating controls or accepts the greater degree of risk to its operations and assets, or to individuals.
2.5 SECURITY CONTROL ASSURANCE
Assurance is the grounds for confidence28 that the security controls implemented within an information system are effective in their application. Assurance can be obtained in a variety of ways including: (i) actions taken by developers and implementers29 of security controls in the design, development, and implementation techniques and methods; and (ii) actions taken by security control assessors during the testing and evaluation process to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Assurance considerations related to developers and implementers of security controls are addressed in this special publication. Assurance considerations related to assessors of security controls (including certification agents, evaluators, auditors, inspectors general) are addressed in NIST Special Publication 800-53A.
Appendix E describes the minimum assurance requirements for security controls listed in the low, moderate, and high baselines. For security controls in the low baseline, the emphasis is on the control being in place with the expectation that no obvious errors exist and that, as flaws are discovered, they are addressed in a timely manner. For security controls in the moderate baseline, the emphasis is on increasing grounds for confidence in control correctness. While flaws are still likely to be uncovered (and addressed expeditiously), the control developer or control implementer incorporates, as part of the control, specific capabilities to increase grounds for confidence that the control meets its function or purpose. For security controls in the high baseline, the emphasis is on requiring within the control the capabilities that are needed to support ongoing, consistent operation of the control and to support continuous improvement in the control's effectiveness. There are additional assurance requirements available to developers and implementers of security controls supplementing the minimum assurance requirements for the moderate and high baselines in order to protect against threats from highly skilled, highly motivated, and well-financed threat agents. This level of protection is necessary for those information systems where the organization is not willing to accept the risks associated with the type of threat agents cited above.
2.6 REVISIONS AND EXTENSIONS
The set of security controls listed in the control catalog represents the current state-of-the-practice safeguards and countermeasures for information systems. The security controls will be reviewed and revised periodically to reflect: (i) the experience gained from using the controls; (ii) the changing security requirements within organizations; (iii) emerging threats and attack methods; and (iv) the availability of new security technologies.30 The controls in the control catalog are expected to change over time, as controls are eliminated or revised and new controls are added. The minimum security controls defined in the low, moderate, and high baselines are also expected to change over time as the level of security and due diligence for mitigating risks within organizations increases. In addition to the need for change, the need for stability will be addressed by requiring that proposed additions, deletions, or modifications to the catalog of security controls go through a rigorous public review process to obtain government and private sector feedback and to build consensus for the changes. A stable, yet flexible and technically rigorous set of security controls will be maintained in the control catalog.