NIST SP 800-53r2 Chapter 3

From FISMApedia
Jump to: navigation, search

CHAPTER THREE

THE PROCESS

SELECTION AND SPECIFICATION OF SECURITY CONTROLS

This chapter describes the process of selecting and specifying security controls for an information system including: (i) defining the organization's overall approach to managing risk; (ii) categorizing the system in accordance with FIPS 199; (iii) selecting and tailoring the initial set of minimum (baseline) security controls;31 (iv) supplementing the tailored security control baseline as necessary based upon an organizational assessment of risk; and (v) updating the controls as part of a comprehensive continuous monitoring process.

3.1 MANAGING RISK

The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program that involves the management of risk-that is, the risk to the organization or to individuals associated with the operation of an information system. The management of risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for an information system-the security controls necessary to protect individuals and the operations and assets of the organization. The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, Executive Orders, directives, policies, standards, or regulations. The following activities related to managing risk (also known as the NIST Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture-

  • Categorize the information system and the information resident within that system based on a FIPS 199 impact analysis.
  • Select an initial set of security controls (i.e., security control baseline from Appendix D) for the information system based on the FIPS 199 security categorization and the minimum security requirements defined in FIPS 200; apply tailoring guidance from Section 3.3 as appropriate, to obtain the control set used as the starting point for the assessment of risk associated with the use of the system.
  • Supplement the initial set of tailored security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances.32
  • Document the agreed-upon set of security controls in the system security plan including the organization's rationale for any refinements or adjustments to the initial set of controls.33
  • Implement the security controls in the information system. For legacy systems, some or all of the security controls selected may already be in place.
  • Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.34
  • Authorize information system operation based upon a determination of the risk to organizational operations, organizational assets, or to individuals resulting from the operation of the information system and the decision that this risk is acceptable.35
  • Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis.

Figure 1 illustrates the specific activities in the NIST Risk Management Framework and the information security standards and guidance documents associated with each activity.

FIGURE 1: THE RISK MANAGEMENT FRAMEWORK

The remainder of this chapter focuses on several key activities in the Risk Management Framework-the FIPS 199 categorization, the initial selection and tailoring of security controls, supplementing the initial controls based on the organization's risk assessment, and updating the controls when necessary.

3.2 SECURITY CATEGORIZATION

FIPS 199, the mandatory federal security categorization standard, is predicated on a simple and well-established concept-determining appropriate priorities for organizational information systems and subsequently applying appropriate measures to adequately protect those systems. The security controls applied to a particular information system should be commensurate with the potential impact on organizational operations, organizational assets, or individuals should there be a loss of confidentiality, integrity, or availability. FIPS 199 requires organizations to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. The potential impact values assigned to the respective security objectives are the highest values (i.e., high water mark) from among the security categories that have been determined for each type of information resident on those information systems.36 The generalized format for expressing the security category (SC) of an information system is:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are low, moderate, or high.

Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the high water mark concept is used to determine the impact level of the information system for the express purpose of selecting an initial set of security controls from one of the three security control baselines.37 Thus, a low-impact system is defined as an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high.

Implementation Tip
To determine the overall impact level of the information system:
  • First, determine the different types of information that are processed, stored, or transmitted by the information system (e.g., financial sector oversight, inspections and auditing, official information dissemination, etc.). NIST Special Publication 800-60 provides guidance on a variety of information types commonly used by organizations.
  • Second, using the impact levels in FIPS 199 and the recommendations of NIST Special Publication 800-60, categorize the confidentiality, integrity, and availability of each information type as low, moderate, or high impact.
  • Third, determine the information system security categorization, that is, the highest impact level for each security objective (confidentiality, integrity, availability) from among the categorizations for the information types associated with the information system.
  • Fourth, determine the overall impact level of the information system from the highest impact level among the three security objectives in the system security categorization.

3.3 SELECTING AND TAILORING THE INITIAL BASELINE

Once the overall impact level of the information system is determined, an initial set of security controls can be selected from the corresponding low, moderate, or high baselines listed in Appendix D. Organizations have the flexibility to tailor the security control baselines in accordance with the terms and conditions set forth in this publication. Tailoring activities include: (i) the application of appropriate scoping guidance to the initial baseline; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls, where allowed. To achieve a cost-effective, risk-based approach to providing adequate information security organization-wide, security control baseline tailoring activities should be coordinated with and approved by appropriate organizational officials (e.g., chief information officers, senior agency information security officers, authorizing officials, or authorizing officials' designated representatives). Tailoring decisions should be documented in the security plan for the information system.38

Scoping Guidance

Scoping guidance provides organizations with specific terms and conditions on the applicability and implementation of individual security controls in the security control baselines. There are several considerations, described below, that can potentially impact how the baseline security controls are applied by the organization:

Common security control-related considerations-

Operational/environmental-related considerations-

  • Security controls that are dependent on the nature of the operational environment are applicable only if the information system is employed in an environment necessitating the controls. For example, certain physical security controls may not be applicable to space-based information systems, and temperature and humidity controls may not be applicable to remote sensors that exist outside of the indoor facilities that contain information systems.

Physical Infrastructure-related considerations-

  • Security controls that refer to organizational facilities (e.g., physical controls such as locks and guards, environmental controls for temperature, humidity, lighting, fire, and power) are applicable only to those sections of the facilities that directly provide protection to, support for, or are related to the information system (including its information technology assets such as electronic mail or web servers, server farms, data centers, networking nodes, boundary protection devices, and communications equipment).

Public access-related considerations-

  • Security controls associated with public access information systems should be carefully considered and applied with discretion since some security controls from the specified control baselines (e.g., identification and authentication, personnel security controls) may not be applicable to users accessing information systems through public interfaces. For example, while the baseline controls require identification and authentication of organizational personnel that maintain and support information systems providing the public access services, the same controls might not be required for access to those information systems through public interfaces to obtain publicly available information. On the other hand, identification and authentication would be required for users accessing information systems through public interfaces in some instances, for example, to access/change their personal information.

Technology-related considerations-

  • Security controls that refer to specific technologies (e.g., wireless, cryptography, public key infrastructure) are applicable only if those technologies are employed or are required to be employed within the information system.
  • Security controls are applicable only to the components of the information system that provide or support the security capability addressed by the control and are sources of potential risk being mitigated by the control.39 For example, when information system components are single-user, not networked, or only locally networked, one or more of these characteristics may provide appropriate rationale for not applying selected controls to that component.
  • Security controls that can be either explicitly or implicitly supported by automated mechanisms, do not require the development of such mechanisms if the mechanisms do not already exist or are not readily available in commercial or government off-the-shelf products. In situations where automated mechanisms are not readily available, cost-effective, or technically feasible, compensating security controls, implemented through nonautomated mechanisms or procedures, should be used to satisfy specified security controls or control enhancements (see terms and conditions for applying compensating controls below).

Policy/regulatory-related considerations-

  • Security controls that address matters governed by applicable laws, Executive Orders, directives, policies, standards, or regulations (e.g., privacy impact assessments) are required only if the employment of those controls is consistent with the types of information and information systems covered by the applicable laws, Executive Orders, directives, policies, standards, or regulations.

Scalability-related considerations-

  • Security controls are scalable with regard to the extent and rigor of the control implementation. Scalability is guided by the FIPS 199 security categorization of the information system being protected. For example, a contingency plan for a FIPS 199 high-impact information system may be quite lengthy and contain a significant amount of implementation detail. In contrast, a contingency plan for a FIPS 199 low-impact information system may be considerably shorter and contain much less implementation detail. Organizations should use discretion in applying the security controls to information systems, giving consideration to the scalability factors in particular environments. This approach facilitates a cost-effective, risk-based approach to security control implementation that expends no more resources than necessary, yet achieves sufficient risk mitigation and adequate security.

Security objective-related considerations-

  • Security controls that uniquely support the confidentiality, integrity, or availability security objectives may be downgraded to the corresponding control in a lower baseline (or appropriately modified or eliminated if not defined in a lower baseline) if, and only if, the downgrading action: (i) is consistent with the FIPS 199 security categorization for the corresponding security objectives of confidentiality, integrity, or availability before moving to the high water mark;40 (ii) is supported by an organizational assessment of risk; and (iii) does not affect the security-relevant information within the information system.41 The following security controls are recommended candidates for downgrading: (i) confidentiality (AC-15, MA-3 (3), MP-2 (1), MP-3, MP-4, MP-5 (1) (2) (3), MP-6, PE-5, SC-4, SC-9); (ii) integrity (SC-8); and (iii) availability (CP-2, CP-3, CP-4, CP-6, CP-7, CP-8, MA-6, PE-9, PE-10, PE-11, PE-13, PE-15, SC-6).42

Compensating Security Controls

With the diverse nature of today's information systems, organizations may find it necessary, on occasion, to specify and employ compensating security controls. A compensating security control is a management, operational, or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provides equivalent or comparable protection for an information system.43 A compensating control for an information system may be employed by an organization only under the following conditions: (i) the organization selects the compensating control from NIST Special Publication 800-53, or if an appropriate compensating control is not available in the security control catalog, the organization adopts a suitable compensating control;44 (ii) the organization provides a complete and convincing rationale45 for how the compensating control provides an equivalent security capability or level of protection for the information system and why the related baseline security control could not be employed; and (iii) the organization assesses and formally accepts the risk associated with employing the compensating control in the information system. The use of compensating security controls should be documented in the security plan for the information system and approved by the authorizing official.

Organization-Defined Security Control Parameters

Security controls containing organization-defined parameters (i.e., assignment and/or selection operations) give organizations the flexibility to define selected portions of the controls to support specific organizational requirements or objectives (see AU-2 example in Section 2.1). After the application of the scoping guidance and the selection of compensating security controls, organizations should review the list of security controls for assignment and selection operations and determine appropriate organization-defined values for the identified parameters. Where specified, minimum and maximum values for organization-defined parameters should be adhered to unless more restrictive values are prescribed by applicable laws, Executive Orders, directives, policies, standards, or regulations or are indicated by the risk assessment in order to adequately mitigate risk. Organization-defined security control parameters should be documented in the security plan for the information system.

3.4 SUPPLEMENTING THE TAILORED BASELINE

The tailored security control baseline should be viewed as the foundation or starting point in the selection of adequate security controls for an information system. The tailored baseline represents, for a particular class of information system (derived from the FIPS 199 security categorization and modified appropriately for local conditions), the starting point for determining the needed level of security due diligence to be demonstrated by an organization toward the protection of its operations and assets. As described in Section 3.1, the final determination of the appropriate set of security controls necessary to provide adequate security for an information system is a function of the organization's assessment of risk and what is required to sufficiently mitigate the risks to organizational operations, organizational assets, or individuals.46

In many cases, additional security controls or control enhancements will be needed to address specific threats to and vulnerabilities in an information system or to satisfy the requirements of applicable laws, Executive Orders, directives, policies, standards, or regulations. The risk assessment at this stage in the security control selection process provides important inputs to determine the sufficiency of the security controls in the tailored baseline-that is, the security controls needed to adequately protect the organization's operations (including mission, function, image, and reputation), the organization's assets, and individuals. Organizations are encouraged to make maximum use of the security control catalog to facilitate the process of enhancing security controls or adding controls to the tailored baseline. To assist in this process, the security control catalog in Appendix F contains numerous controls and control enhancements that are found only in higher-impact baselines or are not included in any of the baselines.

There may be situations in which an organization discovers it is employing information technology beyond its ability to adequately protect critical and/or essential missions. That is, the organization cannot apply sufficient security controls within an information system to adequately reduce or mitigate mission risk. In those situations, an alternative strategy is needed to protect the mission from being impeded; a strategy that considers the mission risks that are being brought about by an aggressive use of information technology. Information system use restrictions provide an alternative method to reduce or mitigate risk, for example, when: (i) security controls cannot be implemented within technology and resource constraints; or (ii) security controls lack reasonable expectation of effectiveness against identified threat sources. Restrictions on the use of an information system are sometimes the only prudent or practical course of action to enable mission accomplishment in the face of determined adversaries.

The determination of required system use restrictions should be made by organizational officials having a vested interest in the accomplishment of organizational missions. These officials typically include, but are not limited to, the information system owner, mission owner, authorizing official, senior agency information security officer, and chief information officer. Examples of use restrictions include: (i) limiting either the information an information system can process, store, or transmit or the manner in which a mission is automated; (ii) prohibiting external information system access to critical organizational information by removing selected system components from the network (i.e., air gapping); and (iii) prohibiting moderate- or high-impact information on an information system component to which the public has access, unless an explicit determination is made authorizing such access.

It is important for organizations to document the decisions taken during the security control selection process, providing a sound rationale for those decisions whenever possible. This documentation is essential when examining the overall security considerations for information systems with respect to potential mission and/or business case impact. The resulting set of agreed-upon security controls along with the supporting rationale for control selection decisions and any information system use restrictions are documented in the security plan for the information system.

Figure 2 summarizes the security control selection process, including the tailoring of the initial security control baseline and any additional modifications to the baseline required based on the organization's assessment of risk.

FIGURE 2: SECURITY CONTROL SELECTION PROCESS

3.5 UPDATING SECURITY CONTROLS

As part of a comprehensive continuous monitoring program, organizations should initiate specific actions to determine if there is a need to update the current, agreed-upon set of security controls documented in the security plan and implemented within the information system. Specifically, the organization should revisit, on a regular basis, the risk management activities described in the Risk Management Framework in Section 3.1. Additionally, there are events which can trigger the immediate need to assess the security state of the information system and if required, update the current security controls. These events include, for example:

  • An incident results in a breach to the information system, producing a loss of confidence in the confidentiality, integrity, or availability of information processed, stored, or transmitted by the system;
  • A newly identified, credible threat exists to the organization's operations or assets, or to individuals (due to the use of the information system supporting those operations, assets, or individuals) based on law enforcement information, intelligence information, or other credible sources of information; or
  • Significant changes to the configuration of the information system through the removal or addition of new or upgraded hardware, software, or firmware or changes in the operational environment potentially degrade the security state of the system.

When events such as those described above occur, organizations should at a minimum:47

  • Reconfirm the criticality/sensitivity of the information system and the information processed, stored, and/or transmitted by that system.
The organization should reexamine the FIPS 199 impact level of the information system to confirm the criticality/sensitivity of the system in supporting its mission operations or business case. The resulting impact on organizational operations, organizational assets, or individuals may provide new insights as to the overall importance of the system in allowing the organization to fulfill its mission responsibilities.
  • Assess the current security state of the information system and reassess the current risk to organizational operations, organizational assets, and individuals.
The organization should investigate the information system vulnerability (or vulnerabilities) exploited by the threat source (or that are potentially exploitable by a threat source) and the security controls currently implemented within the system as described in the security plan. The exploitation of an information system vulnerability (or vulnerabilities) by a threat source may be traced to one or more factors including but not limited to: (i) the failure of currently implemented security controls; (ii) missing security controls; (iii) insufficient strength of security controls; and/or (iv) an increase in the sophistication or capability of the threat source. Using the results from the assessment of the current security state, the organization should reassess the risks to organizational operations, organizational assets, or individuals arising from use of the information system.
  • Plan for and initiate any necessary corrective actions.
Based on the results of an updated risk assessment, the organization should determine what additional security controls and/or control enhancements may be necessary to address the vulnerability (or vulnerabilities) related to the event or what corrective actions may be needed to fix currently implemented controls deemed to be less than effective.
The security plan for the information system should then be updated to reflect these corrective actions. A Plan of Action and Milestones (POA&M) should be developed for any deficiencies noted that are not immediately corrected and for the implementation of any security control upgrades or additional controls. After the security controls or control upgrades have been implemented and any other noted deficiencies corrected, the controls should be assessed for effectiveness. The assessment determines if the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the organization's security policy.
  • Consider reaccrediting the information system.
Depending on the severity of the event, the impact on organizational operations, organizational assets, or individuals, and the extent of the corrective actions required to fix the identified deficiencies in the information system, the organization may need to consider reaccrediting the information system in accordance with the provisions of NIST Special Publication 800-37. The authorizing official makes the final determination on the need to reaccredit the information system in consultation with the system and mission owners, the senior agency information security officer, and the chief information officer. The authorizing official may choose to conduct an abbreviated reaccreditation focusing only on the affected components of the information system and the associated security controls and/or control enhancements which have been changed during the update. Authorizing officials should have sufficient information from the security certification process to initiate, with an appropriate degree of confidence, the necessary corrective actions to adequately protect individuals and the organization's operations and assets.