Supplementing Controls

After the baseline of security controls have gone through the tailoring process of: scoping guidance, compensating controls and organizationally defined parameters, it is possible that additional controls or enhancements may be needed in order to mitigate the risk that has been assessed. It is also possible to simple add restrictions to already existing controls. There is a defined process for accomplishing these goals when it has been determined that the existing controls do not provide an adequate protection against risk.

First, use existing baseline controls and their built-in enhancements that are not being used. Then add restrictions to existing controls in order to limit some factor of scope so the risk can be contained. Finally, it is possible to craft customized controls as needed. It is important to thoroughly document this process of adding any supplementing controls.

Key NIST docs:
800-53
800-39
800-100

Comments are closed.