New OPSEC Controls in 800-53 rev4

NIST SP 800-53 includes the catalog of security controls that form the core of the “security bible” that is required guidance for federal agencies. NIST periodically reviews the list of controls and updates them. They are currently in the process of taking public comments on the latest revision (rev4) before they go “final”.

Included in the new revisions are some welcome material on Operations Security (OPSEC), which deals with maintaining an awareness of what an opponent can learn about your operations.

Here are controls that deal with OPSEC:

PM-14 OPERATIONS SECURITY PROGRAM
Control: The organization establishes and implements an Operations Security (OPSEC) program.

Supplemental Guidance: Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified information related to the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.

SC-40 OPERATIONS SECURITY
Control: The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle.

Supplemental Guidance: Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps:
(i) identification of critical information (e.g., the security categorization process);
(ii) analysis of threats;
(iii) analysis of vulnerabilities;
(iv) assessment of risks; and
(v) the application of appropriate countermeasures. OPSEC safeguards are applied to both organizational information systems and the environments in which those systems operate.
OPSEC safeguards help protect the confidentiality of key information including, for example, limiting the sharing of information with suppliers and potential suppliers of information system components, information technology products and services, and with other non-organizational elements and individuals. Information critical to mission/business success includes, for example, user identities, element uses, suppliers, supply chain processes, functional and security requirements, system design specifications, testing protocols, and security control implementation details.

Related control: PM-14.

AC-22 PUBLICLY ACCESSIBLE CONTENT
Control: The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.

Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are accessible to the general public, typically without
identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.

Related controls: AC-3, AC-4, AT-2, AT-3, AU-13.

Other controls related to OPSEC:

    PROGRAM MANAGEMENT

  • PM-8 CRITICAL INFRASTRUCTURE PLAN
  • PM-12 INSIDER THREAT PROGRAM
  • PM-14 OPERATIONS SECURITY PROGRAM
    CRITICAL INFORMATION

  • AC-21 USER-BASED COLLABORATION AND INFORMATION SHARING
  • CA-2 (2) SECURITY ASSESSMENTS | TYPES OF ASSESSMENTS
  • CA-3 INFORMATION SYSTEM CONNECTIONS
  • CA-5 PLAN OF ACTION AND MILESTONES
  • CM-2 BASELINE CONFIGURATION
  • CM-3 CONFIGURATION CHANGE CONTROL
  • CM-4 SECURITY IMPACT ANALYSIS
  • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
  • CP-2 CONTINGENCY PLAN
  • CP-2 (8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS
  • CP-9 INFORMATION SYSTEM BACKUP
  • CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION
  • PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS
  • PL-2 SYSTEM SECURITY PLAN
  • RA-3 RISK ASSESSMENT
  • RA-5 VULNERABILITY SCANNING
  • SA-5 INFORMATION SYSTEM DOCUMENTATION
  • SA-14 CRITICAL INFORMATION SYSTEM COMPONENTS
  • SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
  • SA-15 (3) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | CRITICALITY ANALYSIS
  • SA-15 (4) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | THREAT MODELING / VULNERABILITY ANALYSIS
  • SA-15 (5) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ATTACK SURFACE REDUCTION
  • SI-2 FLAW REMEDIATION
    INDICATORS

  • AC-22 PUBLICLY ACCESSIBLE CONTENT
  • AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
  • AU-6 (9) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH INPUT FROM NON-TECHNICAL SOURCES
  • AU-13 MONITORING FOR INFORMATION DISCLOSURE
  • CA-7 CONTINUOUS MONITORING
  • PE-19 INFORMATION LEAKAGE
  • SI-4 INFORMATION SYSTEM MONITORING
  • SI-4 (8) INFORMATION SYSTEM MONITORING | PROTECTION OF MONITORING INFORMATION
  • SI-4 (13) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / EVENT PATTERNS
  • SI-4 (17) INFORMATION SYSTEM MONITORING | INTEGRATED SITUATIONAL AWARENESS
  • SI-4 (18) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / COVERT EXFILTRATION
  • SI-4 (19) INFORMATION SYSTEM MONITORING | INDIVIDUALS POSING GREATER RISK
  • SI-4 (20) INFORMATION SYSTEM MONITORING | PRIVILEGED USER
    COUNTERMEASURES

  • AC-3 ACCESS ENFORCEMENT
  • AC-4 INFORMATION FLOW ENFORCEMENT
  • AT-2 SECURITY AWARENESS
  • AT-2 (2) SECURITY AWARENESS | INSIDER THREAT
  • AT-3 SECURITY TRAINING
  • CM-5 ACCESS RESTRICTIONS FOR CHANGE
  • CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING
  • CM-5 (4) ACCESS RESTRICTIONS FOR CHANGE | TWO-PERSON RULE
  • CP-12 ALTERNATE COMMUNICATIONS PROTOCOLS
  • CP-13 SAFE MODE
  • IR-4 INCIDENT HANDLING
  • IR-4 (6) INCIDENT HANDLING | INSIDER THREATS – SPECIFIC CAPABILITIES
  • IR-4 (7) INCIDENT HANDLING | INSIDER THREATS – INTRA-ORGANIZATION COORDINATION
  • IR-9 INFORMATION SPILLAGE RESPONSE
  • MA-6 TIMELY MAINTENANCE
  • PE-3 PHYSICAL ACCESS CONTROL
  • SA-12 SUPPLY CHAIN PROTECTION
  • SA-12 (1) SUPPLY CHAIN PROTECTION | ACQUISITION STRATEGIES / TOOLS / METHODS
  • SA-12 (9) SUPPLY CHAIN PROTECTION | OPERATIONS SECURITY
  • SA-12 (14) SUPPLY CHAIN PROTECTION | CRITICAL INFORMATION SYSTEM COMPONENTS
  • SA-18 TAMPER RESISTANCE AND DETECTION
  • SA-19 ANTI-COUNTERFEIT
  • SC-4 INFORMATION IN SHARED RESOURCES
  • SC-5 DENIAL OF SERVICE PROTECTION
  • SC-5 (1) DENIAL OF SERVICE PROTECTION | RESTRICT INTERNAL USERS
  • SC-7 BOUNDARY PROTECTION
  • SC-7 (9) BOUNDARY PROTECTION | RESTRICT OUTGOING COMMUNICATIONS TRAFFIC
  • SC-7 (10) BOUNDARY PROTECTION | UNAUTHORIZED EXFILTRATION
  • SC-7 (16) BOUNDARY PROTECTION | PREVENT DISCOVERY OF COMPONENTS / DEVICES
  • SC-8 TRANSMISSION INTEGRITY
  • SC-9 TRANSMISSION CONFIDENTIALITY
  • SC-11 TRUSTED PATH
  • SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
  • SC-13 CRYPTOGRAPHIC PROTECTION
  • SC-14 PUBLIC ACCESS PROTECTIONS
  • SC-26 HONEYPOTS
  • SC-28 PROTECTION OF INFORMATION AT REST
  • SC-29 HETEROGENEITY
  • SC-30 CONCEALMENT AND MISDIRECTION
  • SC-30 (2) CONCEALMENT AND MISDIRECTION | RANDOMNESS
  • SC-30 (3) CONCEALMENT AND MISDIRECTION | CHANGE PROCESSING / STORAGE LOCATIONS
  • SC-30 (4) CONCEALMENT AND MISDIRECTION | MISLEADING INFORMATION
  • SC-30 (5) CONCEALMENT AND MISDIRECTION | CONCEALMENT OF SYSTEM COMPONENTS
  • SC-31 COVERT CHANNEL ANALYSIS
  • SC-32 INFORMATION SYSTEM PARTITIONING
  • SC-35 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY
  • SC-36 HONEYCLIENTS
  • SC-38 MALWARE ANALYSIS
  • SC-39 OUT-OF-BAND CHANNELS
  • SC-39 (1) OUT-OF-BAND CHANNELS | ENSURE DELIVERY / TRANSMISSION
  • SC-41 PROCESS ISOLATION
  • SC-42 WIRELESS LINK PROTECTION
  • SI-6 SECURITY FUNCTIONALITY VERIFICATION

NOTE – the representation of these controls is taken from the current DRAFT document which is not yet the final version. There may be changes made or even deletions before the final version is released.

Comments are closed.