Overlays of Tailored Security Controls

Tailoring security controls involves adapting the generic baseline sets of security controls to better fit a specific operating environment. Here is a list of tailoring activities:

  • Defining “Common Controls” that are centrally managed and can be used by several information systems.
  • Applying “Scoping Considerations”
  • Using “Compensating Controls”
  • Defining “Organizational Parameters”
  • Adding “Supplementary Controls”
  • Using “Overlays”

Once tailoring changes have been made to a set of controls based on a specific use or group, it becomes possible to re-use those changes as an “overlay”. The overlay is a collection of the changes applied during the tailoring steps that can also be applied to another system or more than one system. The more systems that can use any individual overlay, the greater the benefit in efficiency becomes.

The use of Overlays involves the following steps:

  • Identification – the Overlay should be identified with a unique name with version number and date, the version of 800-53 used, references to any other documentation used or required, author/group contact information, any time limits, any update requirements.
  • Characteristics – the Overlay should describe which information system it is designed for and the nature of the information that will be processed under the Overlay. It should also describe the function of the system and any specific characteristics that help protect it.
  • Applicability – document some of the reasoning process used to decide whether or not the Overlay applies to the system or environment.
  • Summary – summarize the controls and enhancements included in the Overlay, any special reasoning used to select or deselect them, any new guidance added, parameters defined, references to laws, regulations. and standards.
  • Specifications – details on the control selection process that was summarized above, modifications that were added, unique parameter values that were defined, specific requirements that are above and beyond the normal, any added or extended guidance.
  • Considerations – document the considerations used in the Tailoring process.
  • Definitions – any unique or relevant terms and definitions.

Categories of application areas that are likely to find Overlays useful include:

  • Technology related
    • Cloud based services
    • Mobile devices
    • Medical devices
    • Public Key Infrastructure (PKI)
  • Operating environment
    • Privacy requirements
    • Assurance requirements
    • Remote access
    • Advanced Persistent Threat (APT)
    • Air-gapped networks
  • Communities
    • Industrial Control Systems
    • Health care and HIPAA
    • Financial

Comments are closed.