3.1 selecting security control baselines

In preparation for selecting and specifying the appropriate security controls for organizational information systems and their respective environments of operation, organizations first determine the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. This process, known as security categorization, is described in FIPS Publication 199.[58]</sup> The security categorization standard is based on a simple and well-established concept—that is, determining the potential adverse impact for organizational information systems. The results of security categorization help guide and inform the selection of appropriate security controls (i.e., safeguards and countermeasures) to adequately protect those information systems. The security controls selected for information systems are commensurate with the potential adverse impact on organizational operations and assets, individuals, other organizations, or the Nation if there is a loss of confidentiality, integrity, or availability. FIPS Publication 199 requires organizations to categorize information systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability (RMF Step 1). The potential impact values assigned to the security objectives are the highest values (i.e., high water mark) from the security categories that have been determined for each type of information processed, stored, or transmitted by those information systems.[59]</sup> The generalized format for expressing the security category (SC) of an information system is:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},

where the acceptable values for potential impact are low, moderate, or high.

Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the high water mark concept (introduced in FIPS Publication 199) is used in FIPS Publication 200 to determine the impact level of the information system for the express purpose of selecting the applicable security control baseline from one of the three baselines identified in Appendix D.[60]</sup> Thus, a low-impact system is defined as an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. Finally, a high-impact system is an information system in which at least one security objective is high.

Implementation Tip

To determine the impact level of an information system:

  • First, determine the different types of information that are processed, stored, or transmitted by the information system. NIST Special Publication 800-60 provides common information types.
  • Second, using the impact values in FIPS Publication 199 and the recommendations of NIST Special Publication 800-60, categorize the confidentiality, integrity, and availability of each information type.
  • Third, determine the information system security categorization, that is, the highest impact value for each security objective (confidentiality, integrity, availability) from among the categorizations for the information types associated with the information system.
  • Fourth, determine the overall impact level of the information system from the highest impact value among the three security objectives in the system security categorization.

Note: For national security systems, organizations use CNSSI 1253 for security categorization.

Once the impact level of the information system is determined, organizations begin the security control selection process (RMF Step 2). The first step in selecting and specifying security controls for the information system is to choose the appropriate security control baseline.[61]</sup> The selection of the security control baseline is based on the FIPS 200 impact level of the information system as determined by the security categorization process described above. The organization selects one of three security control baselines from Appendix D corresponding to the low-impact, moderate-impact, or high-impact rating of the information system.[62]</sup> Note that not all security controls are assigned to baselines, as indicated in Table D-2 by the phrase not selected. Similarly, as illustrated in Tables D-3 through D-19, not all control enhancements are assigned to baselines. Those control enhancements that are assigned to baselines are so indicated by an “x” in the low, moderate, or high columns. The use of the term baseline is intentional. The security controls and control enhancements in the baselines are a starting point from which controls/enhancements may be removed, added, or specialized based on the tailoring guidance in Section 3.2.

The security control baselines in Appendix D address the security needs of a broad and diverse set of constituencies (including individual users and organizations). Some assumptions that generally underlie the baselines in Appendix D include, for example: (i) the environments in which organizational information systems operate; (ii) the nature of operations conducted by organizations; (iii) the functionality employed within information systems; (iv) the types of threats facing organizations, missions/business processes, and information systems; and (v) the type of information processed, stored, or transmitted by information systems. Articulating the underlying assumptions is a key element in the initial risk framing step of the risk management process described in NIST Special Publication 800-39. Some of the assumptions that underlie the baselines in Appendix D include:

  • Information systems are located in physical facilities;
  • User data/information in organizational information systems is relatively persistent;[63]</sup>
  • Information systems are multi-user (either serially or concurrently) in operation;
  • Some user data/information in organizational information systems is not shareable with other users who have authorized access to the same systems;
  • Information systems exist in networked environments;
  • Information systems are general purpose in nature; and
  • Organizations have the necessary structure, resources, and infrastructure to implement the controls.[64]</sup>

If one or more of these assumptions is not valid, then some of the security controls assigned to the initial baselines in Appendix D may not be applicable—a situation that can be readily addressed by applying the tailoring guidance in Section 3.2 and the results of organizational assessments of risk. Conversely, there are also some possible situations that are specifically not addressed in the baselines. These include:

  • Insider threats exist within organizations;
  • Classified data/information is processed, stored, or transmitted by information systems;
  • Advanced persistent threats (APTs) exist within organizations;
  • Selected data/information requires specialized protection based on federal legislation, directives, regulations, or policies; and
  • Information systems need to communicate with other systems across different security domains.

If any of the above assumptions apply, then additional security controls from Appendix F would likely be needed to ensure adequate protection—a situation that can also be effectively addressed by applying the tailoring guidance in Section 3.2 (specifically, security control supplementation) and the results of organizational assessments of risk.

58. CNSS Instruction 1253 provides security categorization guidance for national security systems.
59. NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, provides guidance on the assignment of security categories to information systems.
60. The high water mark concept is employed because there are significant dependencies among the security objectives of confidentiality, integrity, and availability. In most cases, a compromise in one security objective ultimately affects the other security objectives as well. Accordingly, security controls are not categorized by security objective. Rather, the security controls are grouped into baselines to provide a general protection capability for classes of information systems based on impact level.
61. The general security control selection process may be augmented or further detailed by additional sector-specific guidance as described in Section 3.3, Creating Overlays, and Appendix I, template for developing overlays.
62. CNSS Instruction 1253 provides security control baselines for national security systems.
63. Persistent data/information refers to data/information with utility for a relatively long duration (e.g., days, weeks).
64. In general, federal departments and agencies will satisfy this assumption. The assumption becomes more of an issue for nonfederal entities such as municipalities, first responders, and small (business) contractors. Such entities may not be large enough or sufficiently resourced to have elements dedicated to providing the range of security capabilities that are assumed by the baselines. Organizations consider such factors in their risk-based decisions.

results matching ""

    No results matching ""