Archive for 800-53

You are browsing the archives of 800-53.

Using a Home Email Server for Federal Govt Business

The following article was published in March of 2015, but it’s worth a fresh look since we now know much more about Hillary Clintons home email server. Specifically, the requirement for assessment and authorization seems to have been ignored completely in the media stories. The State Department CIO had specific responsibility for this and the […]

APT versus OODA Security Controls

Advanced Persistent Threat (APT) is a kind of attack comes from a team with advanced skills, deep resources, and specific targets. They use advanced tools and techniques that are capable of circumventing defenses. They use stealth and demonstrate good situational awareness in evaluating the state of the defenders they face. They respond quickly and with […]

Overlays of Tailored Security Controls

Tailoring security controls involves adapting the generic baseline sets of security controls to better fit a specific operating environment. Here is a list of tailoring activities: Defining “Common Controls” that are centrally managed and can be used by several information systems. Applying “Scoping Considerations” Using “Compensating Controls” Defining “Organizational Parameters” Adding “Supplementary Controls” Using “Overlays” […]

FISMA Law vs Home Email Server

Working for a federal agency that has IT functions regulated by public law and running an email server from home to use for agency business seems problematic, but it may be possible. Here are some of the laws and regulations that come into play: FISMA – PUBLIC LAW 107–347, DEC. 17 2002 is known as […]

Tailoring Security Controls

The NIST Risk Management Framework (RMF) is a six step process as follows: Categorize both the information and the system based on impact. Select a baseline set of security controls. Implement the controls. Assess the effectiveness of the security controls. Authorize the system to operate. Monitor the ongoing state of protection the security controls are […]

New Insider Threat Controls in 800-53 rev4

The NIST revision to 800-53 controls that is known as rev4 added new controls related to insider threats. PM-12 (0) INSIDER THREAT PROGRAM – this is the master control requiring an insider threat program, including a team that is focused on insider threat incident handling. The team needs to have cross-discipline representation that allows them […]

Assurance is the Reason to Trust

We want to trust that the measures we take to protect our information systems are working. But we need concrete reasons to hold that trust. We need proof that our defensive controls are doing the job and are actually protecting the system. Those reasons and that proof are known as “Assurance”. Trust tends to be […]

800-53 rev4 Changes

NIST periodically revises their catalog of security controls, “NIST SP 800-53 Recommended Security Controls for Federal Information Systems”. Rev 4 is the most recent version. Here are some of the changes: BASELINES A few existing controls have been re-assigned to new IMPACT level baselines Many new controls have been added – some are not assigned […]

Continuous Monitoring Misunderstood

Network security monitoring includes intrusion detection, audit log correlation and analysis and other methods of detecting failures of our network protections. Continuous monitoring is not the same thing. Continuous monitoring is the process of checking our security controls to make sure they are working. Here is an article that explains some of the background: Continuous […]

A HIGH Impact Baseline for Clouds

FEDRAMP (FEDeral Risk and Authorization Management Program) offers baselines of 800-53 security controls that have been tailored for cloud environments. But they do not offer a HIGH impact baseline. Presumably, HIGH impact systems will use private clouds that exist inside the authorization boundary of the federal agency that implements them. FEDRAMP requirements do not apply […]