HackingTheUniverse

Each control in 800-53 has the following components:

• Name
• Number
• Description
• Guidance
• Supplemental

This is an example of an actual control:

Control Number: SI-2

Control Name:  FLAW REMEDIATION

Control Description:   The organization identifies, reports and corrects information system flaws.

Guidance:  The organization identifies information systems containing proprietary or open source software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). Proprietary software can be found in either commercial/government off-the-shelf information technology component products or in custom-developed applications. The organization (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization’s information systems before installation. Flaws discovered during security assessments, continuous monitoring (see security controls CA-2, CA-4, or CA-7), or incident response activities (see security control IR-4) should also be addressed expeditiously. NIST Special Publication 800-40 provides guidance on security patch installation.

EVERY CONTROL HAS THE COMPONENTS SHOWN ABOVE

SOME CONTROLS ALSO HAVE ENHANCEMENTS – SHOWN BELOW

Control Enhancement 1:  The organization centrally manages the flaw remediation process and installs updates automatically without individual user intervention.

Control Enhancement 2:  The organization employs automated mechanisms to periodically and upon command determine the state of information system components with regard to flaw remediation.

Each control also shows which impact levels it is selected on and which impact levels any enhancements are selected on. The impact levels are LOW, MODERATE, and HIGH.