Tailoring Controls

NIST SP 800-53 sets terms and conditions for tailoring the security control baseline to organizational and operational needs.   There are three specific areas addressed as follows:

  • Scoping Guidance
  • Compensating Controls
  • Organizationally Defined Parameters

Scoping Guidance offers considerations on how individual security controls are applied and implemented. The following areas are discussed:

  • Common Controls
  • Common Controls are controls that protect more than one information system across the infrastructure and often are actually part of the general infrastructure. ALL controls must be designated as either common control or system specific controls

  • Security Objectives
  • Controls that uniquely support a security objective (CIA= Confidentiality, Integrity, Availability) may be able to be downgraded or modified

  • System Component Allocation (NEW in rev3)
  • Some controls may apply only to certain system components

  • Technologies
  • Some controls may apply only to certain technologies

  • Physical Infrastructure
  • Controls that deal with facility intrastructure may apply only to the parts of the facility that are directly related to the information system and it’s assets

  • Policy and Regulation
  • Controls related to policies and regulations apply only if the types of information and systems are covered by them

  • Operational and Environmental
  • Controls that depend upon the nature of the operational environment only apply if the system is operating in such an environment

  • Scalability
  • Controls are scalable with regard to extent and rigor

  • Public Access
  • Some controls may not apply to public access systems

Compensating Controls – organizations may find it necessary to use these in place of security baseline controls. The following conditions apply:

  • The compensating control should be selected from NIST SP 800-53
  • A detailed explaination for why the compensating control is needed and how it supplied the protection that the original control was lacking, must be documented
  • The organization must fully assess the risk of using the compensating control and accept it

Organizationally Defined Parameters – these parameters offer the flexibility to define parts of specific controls in order to meet organizational or operational needs. The suggested maximum and minimum values should be adhered to unless more restrictive values are used.

One Response to “ Tailoring Controls ”

  1. Common Controls are important because…