1.3 relationship to other security control publications
To create a technically sound and broadly applicable set of security controls for information systems and organizations, a variety of sources were considered during the development of this special publication. The sources included security controls from the defense, audit, financial, healthcare, industrial/process control, and intelligence communities as well as controls defined by national and international standards organizations. The objective of NIST Special Publication 800-53 is to provide a set of security controls that can satisfy the breadth and depth of security requirements[14]</sup> levied on organizations, mission/business processes, and information systems and that is consistent with and complementary to other established information security standards.
The catalog of security controls in Special Publication 800-53 can be effectively used to protect information and information systems from traditional and advanced persistent threats in varied operational, environmental, and technical scenarios. The controls can also be used to demonstrate compliance with a variety of governmental, organizational, or institutional security requirements. Organizations have the responsibility to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying established security requirements.[15]</sup> The security controls facilitate the development of assessment methods and proceduresthat can be used to demonstrate control effectiveness in a consistent/repeatable manner—thus contributing to the organization’s confidence that security requirements continue to be satisfied on an ongoing basis. In addition, security controls can be used in developing overlays for specialized information systems, information technologies, environments of operation, or communities of interest (see Appendix I).
14. Security requirements are those requirements levied on an information system that are derived from laws, Executive Orders, directives, policies, instructions, regulations, standards, guidelines, or organizational (mission) needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted. ↩
15. NIST Special Publication 800-53A provides guidance on assessing the effectiveness of security controls. ↩