SELECT STEP FAQS - NIST
SELECT STEP FAQSNIST RISK MANAGEMENT FRAMEWORKSecurity controls are the management, operational, and technical safeguards or countermeasuresemployed within an organizational information system to protect the confidentiality, integrity,and availability of the system and its information. Assurance is the grounds for confidence thatthe security controls implemented within an information system are effective in their application.Selecting and implementing the appropriate security controls and assurance requirements for aninformation system or system-of-systems are important tasks that can have major implications on theoperations and assets of an organization as well as the welfare of individuals and the Nation.General Select Step FAQs1. What are security controls?2. Why are organizations required to select security controls?3. What is the select process?4. When are security requirements considered within the system development life cycle?5. Who is responsible for selecting the security controls for an information system?6. What is the role of the risk executive (function) in the security control selection process?7. Are external service providers required to implement federal security requirements including thesecurity controls?8. When NIST revises NIST SP 800-53, is the organization required to implement the changes?Select Step Fundamentals9. Do all federal information systems have to meet the minimum security requirements specified inFIPS 200?10. What other sources should be reviewed to determine if additional security requirements apply toan information system?11. Must all of the security controls in the corresponding security control baseline by used?12. Under what conditions should the use of an information system be restricted?13. What are the different types of security controls?14. What are system-specific controls?15. What are common controls?16. What are hybrid controls?17. Who is responsible of common controls or the common portion of hybrid controls?18. How are security controls allocated to information systems?19. What is the structure of a security control?20. Are organizations expected to apply the supplemental guidance?21. What is security control assurance?22. Why were program management controls added to NIST SP 800-53, Rev. 3?23. Do security controls need to be periodically reviewed and updated?24. What types of events can trigger a need to modify or update the security controls?Organizational Support for the Select Step FAQs25. Are organizations expected to support risk management?26. What is the relationship between the security controls and an organization’s policies andprocedures?1January 18, 2011
Select Step – Frequently Asked Questions27.28.29.30.31.32.Why should organizations implement common security controls?Who should define common security controls?How are common controls determined for the organization?Who is responsible for the program management controls?What is the information security program plan?Can the organization provide templates and tools to assist with preparing security documentation?System-specific Application of the Select Step FAQs33. What steps should the information system owner follow to select the security controls for aninformation system?34. What is the security categorization and how does it influence the selection of the initial securitybaseline?35. How is the initial security control baseline selected?36. What is tailoring?37. How is scoping guidance applied to the information system?38. What are some examples or scenarios of applying the scoping guidance to an information system:39. What is a compensating security control?40. Under what conditions are compensating controls used?41. What are organization-defined parameters and how are they applied within an informationsystem?42. Why do organizations supplement their security controls?43. How do information system owners supplement their security controls?44. Which minimum assurance requirements apply to an information system?45. How are the minimum assurance requirements met by control developers/implementers?46. Why is the selected set of security controls documented in the security plan?47. What information is documented in the security plan?48. Does the security plan have to follow the format provided in NIST SP 800-18?49. Why are security controls monitored?50. What is the continuous monitoring strategy?51. How are security controls selected for continuous monitoring?52. Why is the security plan approved?GENERAL SELECT FAQS1. WHAT ARE SECURITY CONTROLS?Security controls are the management, operational, and technical safeguards or countermeasuresemployed within an organizational information system to protect the confidentiality, integrity, andavailability of the system and its information.1 Selecting the appropriate set of security controls helps toachieve the objective of conducting the day-to-day operations of the organization and accomplishing theorganization’s stated missions and business functions with what the OMB Circular A-130 defines asadequate security, or security commensurate with risk resulting from the unauthorized access, use,disclosure, disruption, modification, or destruction of information.21NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 12NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 22January 18, 2011
Select Step – Frequently Asked Questions2. WHY ARE ORGANIZATIONS REQUIRED TO SELECT SECURITY CONTROLS?Organizations are required to adequately mitigate risk arising from use of information and informationsystems in the execution of missions and business functions. A significant challenge for organizations isto determine the appropriate set of security controls, which if implemented and determined to beeffective, would most cost-effectively mitigate risk while complying with the security requirementsdefined by applicable federal laws, Executive Orders, directives, policies, standards, or regulations (e.g.,FISMA, OMB Circular A-130). Selecting the appropriate set of security controls to adequately mitigaterisk by meeting the specific, and sometimes unique, security requirements of an organization is animportant task—a task that clearly demonstrates the organization’s commitment to security and the duediligence exercised in protecting the confidentiality, integrity, and availability of organizationalinformation and information systems.33. WHAT IS THE SELECT PROCESS?Security controls are selected based on the security categorization of the information system andrequirements for the organization-specific environment of operations. The security control selectionprocess includes, as appropriate:4Choosing a set of baseline security controls;Tailoring the baseline security controls by applying scoping, parameterization, and compensatingcontrol guidance;Supplementing the tailored baseline security controls, if necessary, with additional controls orcontrol enhancements to address unique organizational needs based on a risk assessment andlocal conditions including environment of operation, organization-specific security requirements,specific threat information, cost-benefit analysis, or special circumstances; andSpecifying minimum assurance requirements, as appropriate.The selection of the initial set of baseline security controls is based on the impact level of the informationsystem as determined by the security categorization process. The organization selects one of three sets ofbaseline security controls from NIST SP 800-53, Appendix D, corresponding to the low-, moderate-, orhigh-impact rating of the information system.5 After selecting the initial set of baseline security controls,the organization initiates the tailoring process to appropriately modify and more closely align the controlswith the specific conditions within the organization (i.e., conditions specific to the information system orits environment of operation).6In many cases, additional security controls or control enhancements will be needed to address specificthreats to and vulnerabilities in an information system and to satisfy the requirements of applicablefederal laws, Executive Orders, directives, policies, standards, or regulations.7 The supplementation3NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 94NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A SecurityLife Cycle Approach, February 2010, p. 255NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 196NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 197NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 233January 18, 2011
Select Step – Frequently Asked Questionsprocess is used for this purpose. During supplementation, the sufficiency of the tailored baseline toadequately protect the organization’s operations is determined. The final determination of the appropriateset of security controls necessary to provide adequate security for an information system is a function ofthe organization’s assessment of risk and what is required to sufficiently mitigate the risks.84. WHEN ARE SECURITY REQUIREMENTS CONSIDERED WITHIN THE SYSTEMDEVELOPMENT LIFE CYCLE?All federal information systems, including operational systems, systems under development, and systemsundergoing modification or upgrade, are in some phase of a system development life cycle.Requirements definition is a critical part of any system development process and begins very early in thelife cycle, typically in the initiation phase. Security requirements are a subset of the overall functionaland nonfunctional requirements levied on an information system and are incorporated into the systemdevelopment life cycle simultaneously with the functional and nonfunctional requirements. Without theearly integration of security requirements, significant expenses may be incurred by the organization laterin the life cycle to address security considerations that could have been included in the initial design.When security requirements are considered as an integral subset of other information systemrequirements, the resulting system has fewer weaknesses and deficiencies, and therefore, fewervulnerabilities that can be exploited in the future.95. WHO IS RESPONSIBLE FOR SELECTING THE SECURITY CONTROLS FOR ANINFORMATION SYSTEM?The information system owner and information security architect are responsible for selecting the securitycontrols for the information system and documenting the controls in the security plan.10 The informationsystem owner is responsible for addressing the operational interests of the user community and forensuring compliance with information security requirements. In addition, the information system owner,in conjunction with the information system security officer (ISSO), is responsible for the developmentand maintenance of the security plan and ensures that the system is deployed and operated in accordancewith the agreed-upon security controls.11The information security architect is responsible for ensuring that the information security requirementsnecessary to protect the organization’s core missions and business processes are adequately addressed inall aspects of enterprise architecture including reference models, segment and solution architectures, andthe resulting information system supporting those missions and business processes.128NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 239NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A SecurityLife Cycle Approach, February 2010, p. 910NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: ASecurity Life Cycle Approach, February 2010, p. 2511NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: ASecurity Life Cycle Approach, February 2010, p. D-512NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: ASecurity Life Cycle Approach, February 2010, p. D-64January 18, 2011
Select Step – Frequently Asked Questions6. WHAT IS THE ROLE OF THE RISK EXECUTIVE (FUNCTION) IN THE SECURITYCONTROL SELECTION PROCESS?The risk executive (function) helps ensure that information security considerations for individualinformation systems are viewed from an organization-wide perspective with regard to the overall strategicgoals and objectives of the organization in carrying out its mission/business processes.13 The riskexecutive (function) develops a risk management strategy for the organization providing a strategic viewof information security-related risks with regard to the organization as a whole and facilitates the sharingor risk-related information among authorizing officials and other senior leaders within the organization.14This organizational perspective of risk is considered by the information system owner when selecting theappropriate set of security controls for the information system.7. ARE EXTERNAL SERVICE PROVIDERS REQUIRED TO IMPLEMENT FEDERALSECURITY REQUIREMENTS INCLUDING THE SECURITY CONTROLS?Yes, FISMA and OMB policy require external providers handling federal information or operatinginformation system on behalf of the federal government to meet the same security requirements as federalagencies. Security requirements for external providers including the security controls for informationsystems processing, storing, or transmitting federal information are expressed in appropriate contracts orother formal agreements.15 Ultimately, the responsibility for adequately mitigating unacceptable risksarising from the use of external information system services remains with the authorizing official.16The assurance or confidence that the risk from using external services is at an acceptable level depends onthe trust that the organization places in the external service provider. The level of trust that anorganization places in an external service provider can vary widely, ranging from those who are highlytrusted to those who are less trusted and present greater sources of risk.17 Organizations require that anappropriate chain of trust be established with external service providers when dealing with the manyissues associated with information system security.18A chain of trust requires that the organization establish and retain a level of confidence that eachparticipating service provider in the potentially complex consumer-provider relationship providesadequate protection for the services rendered to the organization. Depending on the nature of the service,it may simply be unwise for the organization to place significant trust in the provider—not due to anyinherent untrustworthiness on the provider’s part, but due to the intrinsic level of risk in the service.13NIST SP 800-39, Managing Risk from Information Systems: An Organizational Perspective, Second Public Draft, April 2008,p. 1314NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: ASecurity Life Cycle Approach, February 2010, p. D-215NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 1216NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 1317NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 13, Footnote 4018NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 135January 18, 2011
Select Step – Frequently Asked QuestionsWhere a sufficient level of trust cannot be established in the external services or service providers, theorganization employs compensating controls or accepts a greater degree of risk.198. WHEN NIST REVISES NIST SP 800-53, IS THE ORGANIZATION REQUIRED TOIMPLEMENT THE CHANGES?The security controls in the security control catalog are expected to change over time, as controls arewithdrawn, revised, and added. The security controls defined in the low, moderate, and high baselines arealso expected to change over time as the level of security and due diligence for mitigating risks withinorganizations changes. In addition to the need for change, the need for stability will be addressed byrequiring that proposed additions, deletions, and modifications to the catalog of security controls gothrough a rigorous public review process to obtain government and private sector feedback and to buildconsensus for the changes. A stable, yet flexible and technically rigorous set of security controls will bemaintained in the security control catalog.20Compliance schedules for NIST security standards and guidelines are established by OMB in policies,directives, or memoranda (e.g., annual FISMA Reporting Guidance).21SELECT STEP FUNDAMENTALS9. DO ALL FEDERAL INFORMATION SYSTEMS HAVE TO MEET THE MINIMUMSECURITY REQUIREMENTS SPECIFIED IN FIPS 200?Yes, FIPS 200 specifies minimum security requirements for information and information systemssupporting the executive agencies of the federal government.22 Organizations must meet the minimumsecurity requirements in FIPS 200 by selecting the appropriate security controls and assurancerequirements as described in NIST SP 800-53.23The guidelines in NIST SP 800-53 are applicable to all federal information systems other than thosesystems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelineswere broadly developed from a technical perspective to complement similar guidelines for nationalsecurity systems and may be used for such systems with the approval of appropriate federal officialsexercising policy authority over such systems. State, local, and tribal governments, as well as privatesector organizations are encouraged to consider using these guidelines, as appropriate.2419NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, pp. 13-1420NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 1521NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: ASecurity Life Cycle Approach, February 2010, p. iv2223FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, p. 1FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, p. 424NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August2009, p. 26January 18, 2011
Select Step – Frequently Asked Questions10.WHAT OTHER SOURCES SHOULD BE REVIEWED TO DETERMINE IFADDITIONAL SECURITY REQUIREMENTS APPLY TO AN INFORMATION SYSTEM?Additional security requirements may be defined in applicable federal laws, Executive Orders, directives,policies, standards, or regulations.25 These documents are reviewed and appropriate security controls areidentified to satisfy the security requirements. NIST SP 800-53 provides a set of security controls thatcan satisfy the breadth and depth of security requirements levied on information systems andorganizations and that is consistent with and complementary to other established information securitystandards. The catalog of security controls provided in NIST SP 800-53 can be effectively used todemonstrate comp
systems in the execution of missions and business functions. A significant challenge for organizations is to determine the appropriate set of security controls, which if implemented and determined to be . Supplementing the tailored baseline security controls, if necessa
2.1 NIST SP 800-18 4 2.2 NIST SP 800-30 4 2.3 NIST SP 800-34 4 2.4 NIST SP 800-37 4 2.5 NIST SP 800-39 5 2.6 NIST SP 800-53 5 2.7 NIST SP 800-53A 5 2.8 NIST SP 800-55 5 2.9 NIST SP 800-60 5 2.10 NIST SP 800-61 6 2.11 NIST SP 800-70 6 2.12 NIST SP 800-137 6 3 CERT-RMM Crosswalk of NIST 800-Series Special Publications 7
NIST Risk Management Framework 1. Categorize information system (NIST SP 800-60) 2. Select security controls (NIST SP 800-53) 3. Implement security controls (NIST SP 800-160) 4. Assess security controls (NIST SP 800-53A) 5. Authorize information system (NIST SP 800-37) 6. Monitor security controls (NIST SP 800-137) Source: NIST CSRC, http .
NIST SP 800-30 – Risk Assessment NIST SP 800-37 – Risk Management Framework NIST SP 800-39 – Risk Management NIST SP 800-53 – Recommended Security Controls NIST SP 800-53A – Security Control Assessment NIST SP 800-59 – National Security Systems NIST SP 800-60 – Security Category Mapping NIST
grade step 1 step 11 step 2 step 12 step 3 step 13 step 4 step 14 step 5 step 15 step 6 step 16 step 7 step 17 step 8 step 18 step 9 step 19 step 10 step 20 /muimn 17,635 18,737 19,840 20,942 22,014 22,926 23,808 24,689 325,57! 26,453 /2qsohrs steps 11-20 8.48 9.0! 9.54 10.07 10.60 11.02 11.45 11.87 12.29 12.72-
Special Rates 562-600 Station Number 564 Duty Sta Occupation 0083-00 City: FAYETTEVILL State: AR Grade Suppl Rate Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Min OPM Tab Eff Date Duty Sta Occupation 0601-13 City: FAYETTEVILL State: AR Grade Suppl Rate Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Min OPM Tab Eff Date
https://nist.gov/rmf NIST RMF Quick Start Guide CATEGORIZE STEP nist.gov/rmf Frequently Asked Questions (FAQs)RISK MANAGEMENT FRAMEWORK RMF NIST NIST Risk Management Framework (RMF) Categorize Step . ecurity categorization standards for information and systems provide a common framework and understanding for expressing security
Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX. 11 Industry Standards and Committee Initiatives WIB M2784-X-10 API 1164 ISA 99/IEC 62443 NIST SP 800-82 NIST SP 800-12 NIST SP 800-53 NIST SP 800-53A NIST SP 800-39 NIST SP 800-37 NIST SP 800-30 NIST SP 800-34 ISO 27001,2 ISO 27005 ISO 31000
Grade Minimum Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Mid-Point Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Maximum Step 15 12/31/2022 Accounting Services Coordinator O-19 45.20 55.15 65.10 Hourly 94,016 114,712 135,408 Appx Annual 12/31/2022 Accounting Services Manager O-20 47.45 57.90 68.34 Hourly
