Appendix C: Security Control Assessment Requirements
This appendix provides supporting material for the chapters of the book. It can also serve as a reference source and illustrates how many security controls are allocated and the attributes of these controls in different situations and under different requirements.
NIST SP 800-53A Assessment Methods
The following table defines the security assessment process used to evaluate each of the security controls as defined by NIST SP 800-53A.
Security Control Baseline Categorization
The following table defines the security categorization of each security control as high, moderate, low, a combination of these, or no baseline categorization at all. The security practitioner, information systems designer, information system owner, and other stakeholders determine the test methods required to evaluate each security control or security control enhancement.
CNSSI 1253 Baseline Categorization
The following table illustrates the baseline categorization for the security controls as defined by CNSSI 1253. It illustrates one of the major differences in the way the RMF is implemented in the intelligence community (IC). Rather than using a single high water mark category for the entire system, the IC establishes a high water mark for each of the security objectives (confidentiality, integrity, and availability). When implementing the RMF in the IC, the controls are selected that correctly match each of these attributes. For example, AC-7(1) would be mandatory for systems with a confidentiality or integrity level of “moderate” or “high”, but not required on systems with a confidentiality level of “low” and an integrity level of any availability level.
New Controls Planned in Revision 4
The following table introduces new controls and enhancements planned for introduction in NIST SP 800-53 Revision 4. These controls enhance the controls available in earlier versions of the controls catalog. In many cases, the controls are not mandatory for any baseline, except where noted with an “X” in any column. Instead, these controls and enhancements can be used when scoping and tailoring the controls needed to properly secure information systems with unique requirements.
