NIST SP 800-53r3 Chapter 1

From FISMApedia
Jump to: navigation, search

CHAPTER ONE

INTRODUCTION

THE NEED FOR SECURITY CONTROLS TO PROTECT INFORMATION AND INFORMATION SYSTEMS


The selection and implementation of appropriate security controls for an information system4 [1] or a system-of-systems5 [2] are important tasks that can have major implications on the operations6 [3] and assets of an organization7 [4] as well as the welfare of individuals and the Nation. Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:

  • What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
  • Have the selected security controls been implemented or is there a realistic plan for their implementation?
  • What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective8 [5] in their application?

The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks9 [6] arising from its information and information systems. The security controls defined in this publication and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. The program management controls (Appendix G), complement the security controls for an information system (Appendix F) by focusing on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.

It is of paramount importance that responsible officials understand the risks and other factors that could adversely affect organizational operations and assets, individuals, other organizations, and the Nation.10 [7] These officials must also understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that mitigate risks to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the organization and to accomplish the organization's stated missions and business functions with what the OMB Circular A-130 defines as adequate security, or security commensurate with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.


1.1 PURPOSE AND APPLICABILITY

The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government to meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components11 [8] of an information system that process, store, or transmit federal information. The guidelines have been developed to help achieve more secure information systems and effective risk management within the federal government by:

  • Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems and organizations;
  • Providing a recommendation for minimum security controls for information systems categorized in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems;
  • Providing a stable, yet flexible catalog of security controls for information systems and organizations to meet current organizational protection needs and the demands of future protection needs based on changing requirements and technologies;
  • Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness; and
  • Improving communication among organizations by providing a common lexicon that supports discussion of risk management concepts.

The guidelines in this special publication are applicable to all federal information systems12 [9] other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems.13 [10] State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.


1.2 TARGET AUDIENCE

This publication is intended to serve a diverse audience of information system and information security professionals including:

  • Individuals with information system or security management and oversight responsibilities (e.g., authorizing officials, chief information officers, senior information security officers,14 [11] information system managers, information security managers);
  • Individuals with information system development responsibilities (e.g., program and project managers, information technology product developers, information system designers and developers, systems integrators);
  • Individuals with information security implementation and operational responsibilities (e.g., mission/business owners, information system owners, common control providers, information owners/stewards, information system security engineers, information system administrators, information system security officers); and
  • Individuals with information system and information security assessment and monitoring responsibilities (e.g., auditors, Inspectors General, system evaluators, assessors/assessment teams, independent verification and validation assessors, information system owners).

Commercial companies producing information technology products and systems, creating information security-related technologies, and providing information security services can also benefit from the information in this publication.


1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS

To create a technically sound and broadly applicable set of security controls for information systems and organizations, a variety of sources were considered during the development of this special publication. The sources included security controls from the defense, audit, financial, healthcare, and intelligence communities as well as controls defined by national and international standards organizations. The objective of NIST Special Publication 800-53 is to provide a set of security controls that can satisfy the breadth and depth of security requirements15 [12] levied on information systems and organizations and that is consistent with and complementary to other established information security standards.

The catalog of security controls provided in Special Publication 800-53 can be effectively used to demonstrate compliance with a variety of governmental, organizational, or institutional security requirements. It is the responsibility of organizations to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying their stated security requirements. The security controls in the catalog facilitate the development of assessment methods and proceduresthat can be used to demonstrate control effectiveness in a consistent and repeatable manner—thus contributing to the organization's confidence that there is ongoing compliance with its stated security requirements.16 [13]


1.4 ORGANIZATIONAL RESPONSIBILITIES

Organizations17 [14] use FIPS 199 to categorize their information and information systems. Security categorization is accomplished as an organization-wide activity18 [15] with the involvement of senior-level organizational officials including, for example, authorizing officials, chief information officers, senior information security officers, information owners/stewards, information system owners, and risk executive (function). As required by FIPS 200, organizations use the security categorization results to designate information systems as low-impact, moderate-impact, or high-impact systems. For each information system, the recommendation for minimum security controls from Special Publication 800-53 (i.e., the baseline security controls defined in Appendix D, adjusted in accordance with the tailoring guidance in Section 3.3) is intended to be used as a starting point for and as input to the organization's security control supplementation process.19 [16]

While the FIPS 199 security categorization associates the operation of the information system with the potential adverse impact on organizational operations and assets, individuals, other organizations, and the Nation,20 [17] the incorporation of refined threat and vulnerability information during the risk assessment facilitates the selection of additional security controls supplementing the tailored baseline to address specific organizational needs and tolerance for risk. The final, agreed-upon21 [18] set of security controls is documented with appropriate rationale in the security plan for the information system. The use of security controls from Special Publication 800-53 and the incorporation of tailored baseline controls as a starting point in the control selection process, facilitate a more consistent level of security across federal information systems and organizations. It also offers the needed flexibility to appropriately modify the controls based on specific organizational policies and requirements, particular conditions and circumstances, known threat and vulnerability information, and tolerance for risk.

Building more secure information systems is a multifaceted undertaking that requires:

From a systems engineering viewpoint, security is just one of many required operational capabilities for an information system supporting organizational mission/business processes— capabilities that must be funded by the organization throughout the life cycle of the system in order to achieve mission/business success. It is important that the organization realistically assesses the risk to organizational operations and assets, individuals, other organizations, and the Nation that arises by placing the information system into operation or continuing its operation.

In addition, information security requirements for organizational information systems must be satisfied with full consideration of the risk management strategy23 [20] of the organization, in light of the potential cost, schedule, and performance issues associated with the acquisition, deployment, and operation of the information system.


1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION

The remainder of this special publication is organized as follows:

  • Chapter Two describes the fundamental concepts associated with security control selection and specification including: (i) the structural components of security controls and how the controls are organized into families; (ii) security control baselines; (iii) the use of common security controls in support of organization-wide information security programs; (iv) security controls in external environments; (v) assurance in the effectiveness of security controls; and (vi) the commitment to maintain currency of the individual security controls and the control baselines.
  • Chapter Three describes the process of selecting and specifying security controls for an information system including: (i) applying the organization's overall approach to managing risk; (ii) categorizing the information system and determining the system impact level in accordance with FIPS 199 and FIPS 200, respectively; (iii) selecting the initial set of baseline security controls, tailoring the baseline controls, and supplementing the tailored baseline, as necessary, in accordance with an organizational assessment of risk; and (iv) assessing the security controls as part of a comprehensive continuous monitoring process.
  • Supporting appendices provide essential security control selection and specification-related information including: (i) general references; (ii) definitions and terms; (iii) acronyms; (iv) baseline security controls for low-impact, moderate-impact, and high-impact information systems; (v) minimum assurance requirements; (vi) a master catalog of security controls; (vii) information security program management controls; (viii) international information security standards; and (ix) the application of security controls to industrial control systems.


Footnotes

  1. An information system is a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems such as industrial/process controls systems, telephone switching/private branch exchange (PBX) systems, and environmental control systems.
  2. In certain situations within an organization, an information system can be viewed from both a logical and physical perspective as a complex system-of-systems (e.g., Federal Aviation Administration National Air Space System) when there are multiple information systems involved with a high degree of connectivity and interaction among the systems.
  3. Organizational operations include mission, functions, image, and reputation.
  4. The term organization describes an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements).
  5. Security control effectiveness addresses the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system in its operational environment.
  6. Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the adverse impacts to organizational operations and assets, individuals, other organizations, and the Nation.
  7. Includes risk to U.S. critical infrastructure/key resources as described in Homeland Security Presidential Directive 7.
  8. Information system components include, for example, mainframes, workstations, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.
  9. A federal information system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.
  10. CNSS Instruction 1253 provides implementing guidance for NIST Special Publication 800-53 for national security systems.
  11. At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may also refer to this position as the Senior Information Security Officer or the Chief Information Security Officer.
  12. Security requirements are those requirements levied on an information system that are derived from laws, Executive Orders, directives, policies, instructions, regulations, standards, guidelines, or organizational (mission) needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.
  13. NIST Special Publication 800-53A provides guidance on assessing the effectiveness of security controls defined in this publication.
  14. An organization typically exercises managerial, operational, and/or financial control over its information systems and the security provided to those systems, including the authority and capability to implement or require the security controls deemed necessary by the organization to protect organizational operations and assets, individuals, other organizations, and the Nation.
  15. See FIPS Publication 200, footnote 7.
  16. Risk assessments can be accomplished in a variety of ways depending on the specific needs of an organization. NIST Special Publication 800-30 provides guidance on the assessment of risk as part of an overall risk management process.
  17. Considerations for potential national-level impacts and impacts to other organizations in categorizing organizational information systems derive from the USA PATRIOT Act and Homeland Security Presidential Directives.
  18. The authorizing official or designated representative, by accepting the security plan, agrees to the set of security controls proposed to meet the security requirements for the information system.
  19. NIST Special Publication 800-64 provides guidance on security considerations in life cycle management.
  20. NIST Special Publication 800-39 provides guidance on organization-wide risk management.