Rubric Name Project 7 Organization Enterprise Plan and Security P.docx

Rubric Name: Project 7 Organization Enterprise Plan and
Security Policy Rubric
Criteria
Excellent
Outstanding
Acceptable
Needs Improvement
Needs Significant Improvement
Missing or No Submission
Address of critical areas
17 points
Ensured the plan policy thoroughly addressed each of the
following critical areas:
Identify threats and vulnerabilities.
Assign appropriate security controls to protect the infrastructure
of the organization.
Prepare vulnerability scans and effective risk management
protocols to ensure protections remain current and effective
and detect any issues.
Initiate an incident response plan for responding to problems.
Develop a business continuity and disaster recovery plan to
recover from interruptions in business whether manmade or
geographical.
13 points

Plan policy provides good coverage of the following critical
areas:
geographical.
10 points
Plan policy provides fair coverage of the following critical
areas:
geographical.
6 points
Plan policy provides poor coverage of the following critical
areas:

geographical.
3 points
Plan policy provides inadequate coverage of the following
critical areas:
geographical.
0 points
Not included or no submission.
Explanation of functionality
17 points
Identified and thoroughly explained the functionality of the
Framework Tiers.
13 points
Each tier was adequately explained and purpose defined for
functionality of the Framework Tiers.
10 points
Tiers were explained and purpose described without full
functionality coverage of the Framework Tiers.
6 points

Overview of the tiers was provided and the tiers were explained
with some description of the functionality of the Framework
Tiers.
3 points
Inadequate description of the tiers with poor description of the
functionality of the Framework Tiers.
0 points
Not included or no submission
Use of Framework Outline
17 points
Excellent use of the Framework Outline to establish criteria for
security control selection and inclusion of this analysis in the
planning policy document.
13 points
Outstanding use of the Framework Outline to establish criteria
for security control selection and inclusion of this analysis in
the planning policy document. No more than 1 element was
missing or inadequately addressed.
10 points
Acceptable use of the Framework Outline to establish criteria
for security control selection and inclusion of this analysis in
the planning policy document. No more than 2 elements were
missing or inadequately addressed.
6 points
Fair use of the Framework Outline to establish criteria for
planning policy document. More than 2 elements were missing
or inadequately addressed.
3 points

Poor use of the Framework Outline to establish criteria for
planning policy document.
0 points
Creation of correlation
17 points
Created a well-defined correlation between the cybersecurity
framework and risk management for your enterprise planning
policy.
13 points
Developed a cause and effect between the cybersecurity
policy.
10 points
Established a good relationship between the cybersecurity
policy.
6 points
Defined a fair relationship between the cybersecurity framework
and risk management for your enterprise planning policy.
3 points
No defined relationship between the cybersecurity framework
and risk management for your enterprise planning policy.
0 points
Excerpt on Risk Management
17 points

Provided an excellent, efficient and relevant excerpt on risk
management that included a clear and concise protocol for
mitigating disasters.
13 points
Included an outstanding excerpt on risk management that
included a well defined protocol for mitigating disasters.
10 points
Developed an acceptable excerpt on risk management that
included a protocol for mitigating disasters.
6 points
Incomplete submission for providing an excerpt on risk
management that included a protocol for mitigating disasters.
Protocol was incomplete and/or missing minor points.
3 points
Insufficient information to establish an excerpt on risk
management that included a protocol for mitigating disasters.
0 points
Grammar, Spelling, Punctuation
15 points
Fully complied with formatting requirements.
Successfully completed all procedures in the assignment.
Exceptional quality of the assignment with clear, concise, and
meaningful content.
Appropriate research conducted when necessary and resolution
of the task.
Content contained relevant citations to an accuracy of 90%.
Reference citations were in the reference/bibliography list.
12 points

Complied with formatting requirements.
Completed all procedures in the assignment. Good quality of the
assignment with clear, concise, and meaningful content.
Research conducted when necessary and attempts at resolution
included for the task.
Content contained relevant citations to an accuracy of 80%
9 points
Partially complied with formatting requirements.
Partially completed the assignment.
Average quality of the assignment with clear, concise, and
meaningful content.
Research attempted and resolution is incomplete.
6 points
Did not meet criteria for formatting requirements.
Assignment is incomplete.
Poor quality of the assignment and inadequate content.
No research attempted and problem not fully resolved.
3 points
Did not adhere to formatting requirements.
Criteria for assignment not met.
Poor quality of the assignment and incomplete content.
No research attempted and problem not addressed.
Content contained relevant citations to an accuracy of below
60%
Reference citations were in the reference/bibliography list
0 points

Overall Score
Level 6
35 or more
Level 5
29 or more
Level 4
23 or more
Level 3
17 or more
Level 2
11 or more
Level 1
0 or more
FIPS PUB 200
_____________________________________________________
__________
FEDERAL INFORMATION PROCESSING STANDARDS
PUBLICATION
Minimum Security Requirements for Federal
Information and Information Systems

_____________________________________________________
__________
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
March 2006
U.S. DEPARTMENT OF COMMERCE
Carlos M. Gutierrez, Secretary
NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY
William Jeffrey, Director
FIPS Publication 200 Minimum Security
Requirements for Federal Information and Information Systems
_____________________________________________________
___________________________________________
FOREWORD

The Federal Information Processing Standards (FIPS)
Publication Series of the National Institute of
Standards and Technology (NIST) is the official series of
publications relating to standards and
guidelines adopted and promulgated under the provisions of the
Federal Information Security
Management Act (FISMA) of 2002. Comments concerning FIPS
publications are welcomed and
should be addressed to the Director, Information Technology
Laboratory, National Institute of
Standards and Technology, 100 Bureau Drive, Stop 8900,
Gaithersburg, MD 20899-8900.
-- CITA M. FURLANI, ACTING DIRECTOR
INFORMATION TECHNOLOGY LABORATORY
ii
_____________________________________________________
___________________________________________
AUTHORITY
Federal Information Processing Standards Publications (FIPS
PUBS) are issued by the National
Institute of Standards and Technology after approval by the
Secretary of Commerce pursuant to
Section 5131 of the Information Technology Management
Reform Act of 1996 (Public Law 104-106)

and the Federal Information Security Management Act of 2002
(Public Law 107-347).
iii
_____________________________________________________
___________________________________________
Federal Information Processing Standards 200
March 9, 2006
Announcing the Standard for
Minimum Security Requirements for
Federal Information and Information Systems
Federal Information Processing Standards Publications (FIPS
PUBS) are issued by the National
Institute of Standards and Technology (NIST) after approval by
the Secretary of Commerce pursuant
to the Federal Information Security Management Act (FISMA)
of 2002.
1. Name of Standard.
FIPS Publication 200: Minimum Security Requirements for
Federal Information and Information
Systems.
2. Category of Standard.
Information Security.

3. Explanation.
The E-Government Act (P.L. 107-347), passed by the one
hundred and seventh Congress and signed
into law by the President in December 2002, recognized the
importance of information security to the
economic and national security interests of the United States.
Title III of the E-Government Act,
entitled the Federal Information Security Management Act
(FISMA), emphasizes the need for each
federal agency to develop, document, and implement an
enterprise-wide program to provide
information security for the information and information
systems that support the operations and
assets of the agency including those provided or managed by
another agency, contractor, or other
source. FISMA directed the promulgation of federal standards
for: (i) the security categorization of
federal information and information systems based on the
objectives of providing appropriate levels of
information security according to a range of risk levels; and (ii)
minimum security requirements for
information and information systems in each such category.
This standard addresses the specification
of minimum security requirements for federal information and
information systems.
4. Approving Authority.
Secretary of Commerce.
5. Maintenance Agency.
Department of Commerce, NIST, Information Technology
Laboratory.
6. Applicability.
This standard is applicable to: (i) all information within the
federal government other than that

information that has been determined pursuant to Executive
Order 12958, as amended by Executive
Order 13292, or any predecessor order, or by the Atomic Energy
Act of 1954, as amended, to require
protection against unauthorized disclosure and is marked to
indicate its classified status; and (ii) all
federal information systems other than those information
systems designated as national security
systems as defined in 44 United States Code Section 3542(b)(2).
The standard has been broadly
developed from a technical perspective to complement similar
standards for national security systems.
In addition to the agencies of the federal government, state,
local, and tribal governments, and private
sector organizations that compose the critical infrastructure of
the United States are encouraged to
consider the use of this standard, as appropriate.
iv
_____________________________________________________
___________________________________________
7. Specifications.
FIPS Publication 200, Minimum Security Requirements for
Systems.
8. Implementations.
This standard specifies minimum security requirements for
federal information and information
systems in seventeen security-related areas. Federal agencies

must meet the minimum security
requirements as defined herein through the use of the security
controls in accordance with NIST
Special Publication 800-53, Recommended Security Controls
for Federal Information Systems, as
amended.
9. Effective Date.
This standard is effective immediately. Federal agencies must
be in compliance with this standard not
later than one year from its effective date.
10. Qualifications.
The application of the security controls defined in NIST Special
Publication 800-53 required by this
standard represents the current state-of-the-practice safeguards
and countermeasures for information
systems. The security controls will be reviewed by NIST at
least annually and, if necessary, revised
and extended to reflect: (i) the experience gained from using the
controls; (ii) the changing security
requirements within federal agencies; and (iii) the new security
technologies that may be available.
The minimum security controls defined in the low, moderate,
and high security control baselines are
also expected to change over time as well, as the level of
security and due diligence for mitigating
risks within federal agencies increases. The proposed additions,
deletions, or modifications to the
catalog of security controls and the proposed changes to the
security control baselines in NIST Special
Publication 800-53 will go through a rigorous, public review
process to obtain government and private
sector feedback and to build consensus for the changes. Federal
agencies will have up to one year
from the date of final publication to fully comply with the

changes but are encouraged to initiate
compliance activities immediately.
11. Waivers.
No provision is provided under FISMA for waivers to FIPS
made mandatory by the Secretary of
Commerce.
12. Where to Obtain Copies.
This publication is available from the NIST Computer Security
Division web site by accessing
http://csrc.nist.gov/publications.
v
_____________________________________________________
___________________________________________
TABLE OF CONTENTS
SECTION 1 PURPOSE
...............................................................................................
......... 1
SECTION 2 INFORMATION SYSTEM IMPACT LEVELS
............................................................. 1
SECTION 3 MINIMUM SECURITY REQUIREMENTS
................................................................. 2
SECTION 4 SECURITY CONTROL
SELECTION....................................................................... 4
APPENDIX A TERMS AND
DEFINITIONS.........................................................................
....... 6

APPENDIX B REFERENCES
..............................................................................................
10
APPENDIX C ACRONYMS
...............................................................................................
.. 11
vi
_____________________________________________________
___________________________________________
1 PURPOSE
The E-Government Act of 2002 (Public Law 107-347), passed
by the one hundred and seventh
Congress and signed into law by the President in December
2002, recognized the importance of
information security to the economic and national security
interests of the United States. Title III of
the E-Government Act, entitled the Federal Information
Security Management Act (FISMA) of 2002,
tasked NIST with the responsibility of developing security
standards and guidelines for the federal
government including the development of:
• Standards for categorizing information and information
systems1 collected or maintained by
or on behalf of each federal agency based on the objectives of
providing appropriate levels of
information security according to a range of risk levels;
• Guidelines recommending the types of information and

information systems to be included in
each category; and
• Minimum information security requirements for information
and information systems in each
such category.
FIPS Publication 199, Standards for Security Categorization of
Systems, approved by the Secretary of Commerce in February
2004, is the first of two mandatory
security standards required by the FISMA legislation.2 FIPS
Publication 200, the second of the
mandatory security standards, specifies minimum security
requirements for information and
information systems supporting the executive agencies of the
federal government and a risk-based
process for selecting the security controls necessary to satisfy
the minimum security requirements.
This standard will promote the development, implementation,
and operation of more secure
information systems within the federal government by
establishing minimum levels of due diligence
for information security and facilitating a more consistent,
comparable, and repeatable approach for
selecting and specifying security controls for information
systems that meet minimum security
requirements.
2 INFORMATION SYSTEM IMPACT LEVELS
FIPS Publication 199 requires agencies to categorize their
information systems as low-impact,
moderate-impact, or high-impact for the security objectives of
confidentiality, integrity, and
availability. The potential impact values assigned to the
respective security objectives are the highest

values (i.e., high water mark3) from among the security
categories that have been determined for each
type of information resident on those information systems.4
The generalized format for expressing the
security category (SC) of an information system is:
SC information system = {(confidentiality, impact), (integrity,
impact), (availability, impact)},
where the acceptable values for potential impact are low,
moderate, or high.
1 An information system is a discrete set of information
resources organized for the collection, processing, maintenance,
use, sharing, dissemination, or disposition of information.
Information resources include information and related
resources, such as personnel, equipment, funds, and information
technology.
2 NIST security standards and guidelines referenced in this
publication are available at http://csrc.nist.gov.
3 The high water mark concept is employed because there are
significant dependencies among the security objectives of
confidentiality, integrity, and availability. In most cases, a
compromise in one security objective ultimately affects the
other security objectives as well.
4 NIST Special Publication 800-60, Guide for Mapping Types
of Information and Information Systems to Security
Categories, provides implementation guidance on the
assignment of security categories to information and
information
systems.
1

_____________________________________________________
___________________________________________
Since the potential impact values for confidentiality, integrity,
and availability may not always be the
same for a particular information system, the high water mark
concept must be used to determine the
overall impact level of the information system. Thus, a low-
impact system is an information system in
which all three of the security objectives are low. A moderate-
impact system is an information system
in which at least one of the security objectives is moderate and
no security objective is greater than
moderate. And finally, a high-impact system is an information
system in which at least one security
objective is high. The determination of information system
impact levels must be accomplished prior
to the consideration of minimum security requirements and the
selection of appropriate security
controls for those information systems.
3 MINIMUM SECURITY REQUIREMENTS
The minimum security requirements cover seventeen security-
related areas with regard to protecting
the confidentiality, integrity, and availability of federal
information systems and the information
processed, stored, and transmitted by those systems. The
security-related areas include: (i) access
control; (ii) awareness and training; (iii) audit and
accountability; (iv) certification, accreditation, and
security assessments; (v) configuration management; (vi)
contingency planning; (vii) identification
and authentication; (viii) incident response; (ix) maintenance;
(x) media protection; (xi) physical and

environmental protection; (xii) planning; (xiii) personnel
security; (xiv) risk assessment; (xv) systems
and services acquisition; (xvi) system and communications
protection; and (xvii) system and
information integrity. The seventeen areas represent a broad-
based, balanced information security
program that addresses the management, operational, and
technical aspects of protecting federal
information and information systems.
Policies and procedures play an important role in the effective
implementation of enterprise-wide
information security programs within the federal government
and the success of the resulting security
measures employed to protect federal information and
information systems. Thus, organizations must
develop and promulgate formal, documented policies and
procedures governing the minimum security
requirements set forth in this standard and must ensure their
effective implementation.
Specifications for Minimum Security Requirements
Access Control (AC): Organizations must limit information
system access to authorized users, processes
acting on behalf of authorized users, or devices (including other
information systems) and to the types of
transactions and functions that authorized users are permitted to
exercise.
Awareness and Training (AT): Organizations must: (i) ensure
that managers and users of organizational
information systems are made aware of the security risks
associated with their activities and of the
applicable laws, Executive Orders, directives, policies,
standards, instructions, regulations, or procedures

related to the security of organizational information systems;
and (ii) ensure that organizational personnel
are adequately trained to carry out their assigned information
security-related duties and responsibilities.
Audit and Accountability (AU): Organizations must: (i) create,
protect, and retain information system audit
records to the extent needed to enable the monitoring, analysis,
investigation, and reporting of unlawful,
unauthorized, or inappropriate information system activity; and
(ii) ensure that the actions of individual
information system users can be uniquely traced to those users
so they can be held accountable for their
actions.
Certification, Accreditation, and Security Assessments (CA):
Organizations must: (i) periodically assess the
security controls in organizational information systems to
determine if the controls are effective in their
application; (ii) develop and implement plans of action designed
to correct deficiencies and reduce or
eliminate vulnerabilities in organizational information systems;
(iii) authorize the operation of
organizational information systems and any associated
information system connections; and (iv) monitor
information system security controls on an ongoing basis to
ensure the continued effectiveness of the
controls.
2
_____________________________________________________

___________________________________________
Configuration Management (CM): Organizations must: (i)
establish and maintain baseline configurations and
inventories of organizational information systems (including
hardware, software, firmware, and
documentation) throughout the respective system development
life cycles; and (ii) establish and enforce
security configuration settings for information technology
products employed in organizational information
systems.
Contingency Planning (CP): Organizations must establish,
maintain, and effectively implement plans for
emergency response, backup operations, and post-disaster
recovery for organizational information systems
to ensure the availability of critical information resources and
continuity of operations in emergency
situations.
Identification and Authentication (IA): Organizations must
identify information system users, processes
acting on behalf of users, or devices and authenticate (or verify)
the identities of those users, processes, or
devices, as a prerequisite to allowing access to organizational
Incident Response (IR): Organizations must: (i) establish an
operational incident handling capability for
organizational information systems that includes adequate
preparation, detection, analysis, containment,
recovery, and user response activities; and (ii) track, document,
and report incidents to appropriate
organizational officials and/or authorities.
Maintenance (MA): Organizations must: (i) perform periodic

and timely maintenance on organizational
information systems; and (ii) provide effective controls on the
tools, techniques, mechanisms, and
personnel used to conduct information system maintenance.
Media Protection (MP): Organizations must: (i) protect
information system media, both paper and digital; (ii)
limit access to information on information system media to
authorized users; and (iii) sanitize or destroy
information system media before disposal or release for reuse.
Physical and Environmental Protection (PE): Organizations
must: (i) limit physical access to information
systems, equipment, and the respective operating environments
to authorized individuals; (ii) protect the
physical plant and support infrastructure for information
systems; (iii) provide supporting utilities for
information systems; (iv) protect information systems against
environmental hazards; and (v) provide
appropriate environmental controls in facilities containing
Planning (PL): Organizations must develop, document,
periodically update, and implement security plans
for organizational information systems that describe the security
controls in place or planned for the
information systems and the rules of behavior for individuals
accessing the information systems.
Personnel Security (PS): Organizations must: (i) ensure that
individuals occupying positions of
responsibility within organizations (including third-party
service providers) are trustworthy and meet
established security criteria for those positions; (ii) ensure that
organizational information and information
systems are protected during and after personnel actions such as

terminations and transfers; and (iii)
employ formal sanctions for personnel failing to comply with
organizational security policies and
procedures.
Risk Assessment (RA): Organizations must periodically assess
the risk to organizational operations
(including mission, functions, image, or reputation),
organizational assets, and individuals, resulting from
the operation of organizational information systems and the
associated processing, storage, or transmission
of organizational information.
System and Services Acquisition (SA): Organizations must: (i)
allocate sufficient resources to adequately
protect organizational information systems; (ii) employ system
development life cycle processes that
incorporate information security considerations; (iii) employ
software usage and installation restrictions;
and (iv) ensure that third-party providers employ adequate
security measures to protect information,
applications, and/or services outsourced from the organization.
3
_____________________________________________________
___________________________________________
System and Communications Protection (SC): Organizations
must: (i) monitor, control, and protect
organizational communications (i.e., information transmitted or
received by organizational information

systems) at the external boundaries and key internal boundaries
of the information systems; and (ii) employ
architectural designs, software development techniques, and
systems engineering principles that promote
effective information security within organizational information
systems.
System and Information Integrity (SI): Organizations must: (i)
identify, report, and correct information and
information system flaws in a timely manner; (ii) provide
protection from malicious code at appropriate
locations within organizational information systems; and (iii)
monitor information system security alerts
and advisories and take appropriate actions in response.
4 SECURITY CONTROL SELECTION
Organizations must meet the minimum security requirements in
this standard by selecting the
appropriate security controls and assurance requirements as
described in NIST Special Publication
800-53, Recommended Security Controls for Federal
Information Systems.5 The process of selecting
the appropriate security controls and assurance requirements for
organizational information systems to
achieve adequate security6 is a multifaceted, risk-based activity
involving management and
operational personnel within the organization. Security
categorization of federal information and
information systems, as required by FIPS Publication 199, is the
first step in the risk management
process.7 Subsequent to the security categorization process,
organizations must select an appropriate
set of security controls for their information systems that satisfy
the minimum security requirements
set forth in this standard. The selected set of security controls
must include one of three, appropriately

tailored8 security control baselines from NIST Special
Publication 800-53 that are associated with the
designated impact levels of the organizational information
systems as determined during the security
categorization process.
- For low-impact information systems, organizations must, as a
minimum, employ
appropriately tailored security controls from the low baseline of
security controls defined in
NIST Special Publication 800-53 and must ensure that the
minimum assurance requirements
associated with the low baseline are satisfied.
- For moderate-impact information systems, organizations must,
as a minimum, employ
appropriately tailored security controls from the moderate
baseline of security controls
defined in NIST Special Publication 800-53 and must ensure
that the minimum assurance
requirements associated with the moderate baseline are
satisfied.
- For high-impact information systems, organizations must, as a
minimum, employ
appropriately tailored security controls from the high baseline
of security controls defined in
NIST Special Publication 800-53 and must ensure that the
minimum assurance requirements
associated with the high baseline are satisfied.
Organizations must employ all security controls in the
respective security control baselines unless
specific exceptions are allowed based on the tailoring guidance
provided in NIST Special Publication
800-53.

5 Organizations must use the most current version of NIST
Special Publication 800-53, as amended, for the security
control selection process.
6 The Office of Management and Budget (OMB) Circular A-
130, Appendix III, defines adequate security as security
commensurate with the risk and the magnitude of harm resulting
from the loss, misuse, or unauthorized access to or
modification of information.
7 Security categorization must be accomplished as an
enterprise-wide activity with the involvement of senior-level
organizational officials including, but not limited to, chief
information officers, senior agency information security
officers, authorizing officials (a.k.a. accreditation authorities),
information system owners, and information owners.
8 Tailoring guidance for security control baselines is provided
in NIST Special Publication 800-53.
4
_____________________________________________________
___________________________________________
To ensure a cost-effective, risk-based approach to achieving
adequate security across the organization,
security control baseline tailoring activities must be coordinated
with and approved by appropriate
organizational officials (e.g., chief information officers, senior
agency information security officers,
authorizing officials, or authorizing officials designated
representatives). The resulting set of security
controls must be documented in the security plan for the

information system.
5
_____________________________________________________
___________________________________________
APPENDIX A TERMS AND DEFINITIONS
ACCREDITATION: The official management decision given by
a senior agency official to authorize
operation of an information system and to explicitly accept the
risk to agency operations (including
mission, functions, image, or reputation), agency assets, or
individuals, based on the implementation
of an agreed-upon set of security controls.
ADEQUATE SECURITY: Security commensurate with the risk
and the magnitude of harm resulting from
the loss, misuse, or unauthorized access to or modification of
information. [OMB Circular A-130,
Appendix III]
AGENCY: Any executive department, military department,
government corporation, government
controlled corporation, or other establishment in the executive
branch of the government (including
the Executive Office of the President), or any independent
regulatory agency, but does not include: (i)
the Government Accountability Office; (ii) the Federal Election
Commission; (iii) the governments of
the District of Columbia and of the territories and possessions

of the United States, and their various
subdivisions; or (iv) government-owned contractor-operated
facilities, including laboratories engaged
in national defense research and production activities. [44
U.S.C., SEC. 3502]
AUTHENTICATION: Verifying the identity of a user, process,
or device, often as a prerequisite to
allowing access to resources in an information system.
AUTHORIZING OFFICIAL: Official with the authority to
formally assume responsibility for operating an
information system at an acceptable level of risk to agency
operations (including mission, functions,
image, or reputation), agency assets, or individuals.
Synonymous with Accreditation Authority.
AVAILABILITY: Ensuring timely and reliable access to and
use of information. [44 U.S.C., SEC. 3542]
CERTIFICATION: A comprehensive assessment of the
management, operational, and technical security
controls in an information system, made in support of security
accreditation, to determine the extent to
which the controls are implemented correctly, operating as
intended, and producing the desired
outcome with respect to meeting the security requirements for
the system.
CHIEF INFORMATION OFFICER: Agency official responsible
for: (i) providing advice and other
assistance to the head of the executive agency and other senior
management personnel of the agency
to ensure that information technology is acquired and
information resources are managed in a manner
that is consistent with laws, Executive Orders, directives,

policies, regulations, and priorities
established by the head of the agency; (ii) developing,
maintaining, and facilitating the
implementation of a sound and integrated information
technology architecture for the agency; and (iii)
promoting the effective and efficient design and operation of all
major information resources
management processes for the agency, including improvements
to work processes of the agency. [44
U.S.C., Sec. 5125(b)]
CHIEF INFORMATION SECURITY OFFICER: See Senior
Agency Information Security Officer.
CONFIDENTIALITY: Preserving authorized restrictions on
information access and disclosure, including
means for protecting personal privacy and proprietary
information. [44 U.S.C., SEC. 3542]
COUNTERMEASURES: Actions, devices, procedures,
techniques, or other measures that reduce the
vulnerability of an information system. [CNSS Instruction
4009] Synonymous with security controls
and safeguards.
ENVIRONMENT: Aggregate of external procedures,
conditions, and objects affecting the development,
operation, and maintenance of an information system. [CNSS
Instruction 4009]
EXECUTIVE AGENCY: An executive department specified in
5 U.S.C., SEC. 101; a military department
specified in 5 U.S.C., SEC. 102; an independent establishment
as defined in 5 U.S.C., SEC. 104(1); and a
wholly-owned Government corporation fully subject to the
provisions of 31 U.S.C., CHAPTER 91. [41

U.S.C., SEC. 403]
6
_____________________________________________________
___________________________________________
FEDERAL AGENCY: See Agency.
FEDERAL INFORMATION SYSTEM: An information system
used or operated by an executive agency, by
a contractor of an executive agency, or by another organization
on behalf of an executive agency. [40
U.S.C., SEC. 11331]
HIGH-IMPACT SYSTEM: An information system in which at
least one security objective (i.e.,
confidentiality, integrity, or availability) is assigned a FIPS 199
potential impact value of high.
INCIDENT: An occurrence that actually or potentially
jeopardizes the confidentiality, integrity, or
availability of an information system or the information the
system processes, stores, or transmits or
that constitutes a violation or imminent threat of violation of
security policies, security procedures, or
acceptable use policies.
INFORMATION: An instance of an information type. [FIPS
Publication 199]
INFORMATION OWNER: Official with statutory or

operational authority for specified information and
responsibility for establishing the controls for its generation,
collection, processing, dissemination, and
disposal. [CNSS Instruction 4009]
INFORMATION RESOURCES: Information and related
resources, such as personnel, equipment, funds,
and information technology. [44 U.S.C., SEC. 3502]
INFORMATION SECURITY: The protection of information
and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction
in order to provide confidentiality,
integrity, and availability. [44 U.S.C., SEC. 3542]
INFORMATION SYSTEM: A discrete set of information
resources organized for the collection,
processing, maintenance, use, sharing, dissemination, or
disposition of information. [44 U.S.C., SEC.
3502]
INFORMATION SYSTEM OWNER: Official responsible for
the overall procurement, development,
integration, modification, or operation and maintenance of an
information system. [CNSS Instruction
4009 Adapted]
INFORMATION TECHNOLOGY: Any equipment or
interconnected system or subsystem of equipment
that is used in the automatic acquisition, storage, manipulation,
management, movement, control,
display, switching, interchange, transmission, or reception of
data or information by the executive
agency. For purposes of the preceding sentence, equipment is
used by an executive agency if the
equipment is used by the executive agency directly or is used by

a contractor under a contract with the
executive agency which: (i) requires the use of such equipment;
or (ii) requires the use, to a significant
extent, of such equipment in the performance of a service or the
furnishing of a product. The term
information technology includes computers, ancillary
equipment, software, firmware and similar
procedures, services (including support services), and related
resources. [40 U.S.C., SEC. 1401]
INFORMATION TYPE: A specific category of information
(e.g., privacy, medical, proprietary, financial,
investigative, contractor sensitive, security management),
defined by an organization or, in some
instances, by a specific law, Executive Order, directive, policy,
or regulation. [FIPS Publication 199]
INTEGRITY: Guarding against improper information
modification or destruction, and includes
ensuring information non-repudiation and authenticity. [44
U.S.C., SEC. 3542]
LOW-IMPACT SYSTEM: An information system in which all
three security objectives (i.e.,
confidentiality, integrity, and availability) are assigned a FIPS
199 potential impact value of low.
MANAGEMENT CONTROLS: The security controls (i.e.,
safeguards or countermeasures) for an
information system that focus on the management of risk and
the management of information system
security.
7

_____________________________________________________
___________________________________________
MEDIA: Physical devices or writing surfaces including, but not
limited to, magnetic tapes, optical
disks, magnetic disks, Large-Scale Integration (LSI) memory
chips, printouts (but not including
display media) onto which information is recorded, stored, or
printed within an information system.
MODERATE-IMPACT SYSTEM: An information system in
which at least one security objective (i.e.,
confidentiality, integrity, or availability) is assigned a FIPS 199
potential impact value of moderate,
and no security objective is assigned a FIPS 199 potential
impact value of high.
NATIONAL SECURITY INFORMATION: Information that has
been determined pursuant to Executive
Order 12958 as amended by Executive Order 13292, or any
predecessor order, or by the Atomic
Energy Act of 1954, as amended, to require protection against
unauthorized disclosure and is marked
to indicate its classified status.
NATIONAL SECURITY SYSTEM: Any information system
(including any telecommunications system)
used or operated by an agency or by a contractor of an agency,
or other organization on behalf of an
agency— (i) the function, operation, or use of which involves
intelligence activities; involves
cryptologic activities related to national security; involves
command and control of military forces;

involves equipment that is an integral part of a weapon or
weapons system; or is critical to the direct
fulfillment of military or intelligence missions (excluding a
system that is to be used for routine
administrative and business applications, for example, payroll,
finance, logistics, and personnel
management applications); or (ii) is protected at all times by
procedures established for information
that have been specifically authorized under criteria established
by an Executive Order or an Act of
Congress to be kept classified in the interest of national defense
or foreign policy. [44 U.S.C., SEC.
3542]
OPERATIONAL CONTROLS: The security controls (i.e.,
safeguards or countermeasures) for an
information system that primarily are implemented and executed
by people (as opposed to systems).
ORGANIZATION: A federal agency or, as appropriate, any of
its operational elements.
POTENTIAL IMPACT: The loss of confidentiality, integrity,
or availability could be expected to have a
limited adverse effect, a serious adverse effect, or a severe or
catastrophic adverse effect on
organizational operations, organizational assets, or individuals.
[FIPS Publication 199]
RECORDS: All books, papers, maps, photographs, machine-
readable materials, or other documentary
materials, regardless of physical form or characteristics, made
or received by an agency of the United
States Government under Federal law or in connection with the
transaction of public business and
preserved or appropriate for preservation by that agency or its

legitimate successor as evidence of the
organization, functions, policies, decisions, procedures,
operations or other activities of the
Government or because of the informational value of the data in
them. [44 U.S.C. SEC. 3301]
RISK: The level of impact on organizational operations
(including mission, functions, image, or
reputation), organizational assets, or individuals resulting from
the operation of an information system
given the potential impact of a threat and the likelihood of that
threat occurring.
RISK MANAGEMENT: The process of managing risks to
organizational operations (including mission,
functions, image, or reputation), organizational assets, or
individuals resulting from the operation of
an information system, and includes: (i) the conduct of a risk
assessment; (ii) the implementation of a
risk mitigation strategy; and (iii) employment of techniques and
procedures for the continuous
monitoring of the security state of the information system.
SAFEGUARDS: Protective measures prescribed to meet the
security requirements (i.e., confidentiality,
integrity, and availability) specified for an information system.
Safeguards may include security
features, management constraints, personnel security, and
security of physical structures, areas, and
devices. [CNSS Instruction 4009 Adapted] Synonymous with
security controls and countermeasures.
SANITIZATION: Process to remove information from media
such that information recovery is not
possible. It includes removing all labels, markings, and activity
logs. [CNSS Instruction 4009 Adapted]

8
_____________________________________________________
___________________________________________
SECURITY CATEGORY: The characterization of information
or an information system based on an
assessment of the potential impact that a loss of confidentiality,
integrity, or availability of such
information or information system would have on organizational
operations, organizational assets, or
individuals. [FIPS Publication 199]
SECURITY CONTROLS: The management, operational, and
technical controls (i.e., safeguards or
countermeasures) prescribed for an information system to
protect the confidentiality, integrity, and
availability of the system and its information. [FIPS
Publication 199]
SECURITY CONTROL BASELINE: The set of minimum
security controls defined for a low-impact,
moderate-impact, or high-impact information system.
SECURITY OBJECTIVE: Confidentiality, integrity, or
availability. [FIPS Publication 199]
SECURITY PLAN: See System Security Plan.
SECURITY REQUIREMENTS: Requirements levied on an
information system that are derived from

applicable laws, Executive Orders, directives, policies,
standards, instructions, regulations, or
procedures, or organizational mission/business case needs to
ensure the confidentiality, integrity, and
availability of the information being processed, stored, or
transmitted.
SENIOR AGENCY INFORMATION SECURITY OFFICER:
Official responsible for carrying out the Chief
Information Officer responsibilities under FISMA and serving
as the Chief Information Officer’s
primary liaison to the agency’s authorizing officials,
information system owners, and information
system security officers. [44 U.S.C., Sec. 3544]
SYSTEM: See information system.
SYSTEM SECURITY PLAN: Formal document that provides
an overview of the security requirements for
an information system and describes the security controls in
place or planned for meeting those
requirements. [NIST Special Publication 800-18, Revision 1]
TECHNICAL CONTROLS: The security controls (i.e.,
safeguards or countermeasures) for an information
system that are primarily implemented and executed by the
information system through mechanisms
contained in the hardware, software, or firmware components of
the system.
THREAT: Any circumstance or event with the potential to
adversely impact organizational operations
(including mission, functions, image, or reputation),
organizational assets, or individuals through an
information system via unauthorized access, destruction,
disclosure, modification of information,

and/or denial of service. Also, the potential for a threat-source
to successfully exploit a particular
information system vulnerability. [CNSS Instruction 4009
Adapted]
THREAT SOURCE: The intent and method targeted at the
intentional exploitation of a vulnerability or a
situation and method that may accidentally trigger a
vulnerability. Synonymous with threat agent.
USER: Individual or (system) process authorized to access an
information system. [CNSS Instruction
4009]
VULNERABILITY: Weakness in an information system,
system security procedures, internal controls,
or implementation that could be exploited or triggered by a
threat source. [CNSS Instruction 4009
Adapted]
9
_____________________________________________________
___________________________________________
APPENDIX B REFERENCES
[1] Committee for National Security Systems (CNSS)
Instruction 4009, National Information
Assurance Glossary, May 2003.

[2] E-Government Act of 2002 (Public Law 107-347), December
2002.
[3] Federal Information Processing Standards Publication 199,
Standards for Security
Categorization of Federal Information and Information Systems,
February 2004.
[4] Federal Information Security Management Act of 2002
(Public Law 107-347, Title III),
December 2002.
[5] Information Technology Management Reform Act of 1996
(Public Law 104-106), August
1996.
[6] National Institute of Standards and Technology Special
Publication 800-18, Revision 1,
Guide for Developing Security Plans for Federal Information
Systems, February 2006.
Publication 800-53, Recommended
Security Controls for Federal Information Systems, February
2005.
Publication 800-60, Guide for
Mapping Types of Information and Information Systems to
Security Categories, June 2004.
[9] Office of Management and Budget, Circular A-130,
Transmittal Memorandum #4,
Management of Federal Information Resources, Appendix III,
Security of Federal Automated

Information Resources, November 2000.
10
_____________________________________________________
___________________________________________
APPENDIX C ACRONYMS
CIO Chief Information Officer
CNSS Committee for National Security Systems
FIPS Federal Information Processing Standards
FISMA Federal Information Security Management Act
NIST National Institute of Standards and Technology
OMB Office of Management and Budget
USC United States Code
11
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems

and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE

April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
Patrick D. Gallagher, Under Secretary of Commerce for
Standards and Technology and Director
Special Publication 800-53 Revision 4
Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________________
___________________________________________
Authority
This publication has been developed by NIST to further its
statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public

Law (P.L.) 107-347. NIST is
responsible for developing information security standards and
guidelines, including minimum
requirements for federal information systems, but such
standards and guidelines shall not apply to
national security systems without the express approval of
appropriate federal officials exercising
policy authority over such systems. This guideline is consistent
with the requirements of the
Office of Management and Budget (OMB) Circular A-130,
Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix
IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130,
Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the
standards and guidelines made
mandatory and binding on federal agencies by the Secretary of
Commerce under statutory
authority. Nor should these guidelines be interpreted as altering
or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB,
or any other federal official.
This publication may be used by nongovernmental organizations
on a voluntary basis and is not
subject to copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special
Publication 800-53, Revision 4
462 pages (April 2013)
CODEN: NSPUE2

Comments on this publication may be submitted to:
Attn: Computer Security Division, Information Technology
Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-
8930
Electronic Mail: [email protected]
Certain commercial entities, equipment, or materials may be
identified in this document in order
to describe an experimental procedure or concept adequately.
Such identification is not intended
to imply recommendation or endorsement by NIST, nor is it
intended to imply that the entities,
materials, or equipment are necessarily the best available for
the purpose.
There may be references in this publication to other
publications currently under development by
NIST in accordance with its assigned statutory responsibilities.
The information in this publication,
including concepts and methodologies, may be used by Federal
agencies even before the
completion of such companion publications. Thus, until each
publication is completed, current

requirements, guidelines, and procedures, where they exist,
remain operative. For planning and
transition purposes, Federal agencies may wish to closely
follow the development of these new
publications by NIST.
Organizations are encouraged to review all draft publications
during public comment periods and
provide feedback to NIST. All NIST Computer Security
Division publications, other than the ones
noted above, are available at http://csrc.nist.gov/publications.
PAGE ii
mailto:[email protected]
http://csrc.nist.gov/publications
and Organizations
_____________________________________________________
___________________________________________
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National
Institute of Standards and
Technology (NIST) promotes the U.S. economy and public
welfare by providing technical
leadership for the Nation’s measurement and standards
infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and

technical analyses to advance the
development and productive use of information technology.
ITL’s responsibilities include the
development of management, administrative, technical, and
physical standards and guidelines for
the cost-effective security and privacy of other than national
security-related information in
federal information systems. The Special Publication 800-series
reports on ITL’s research,
guidelines, and outreach efforts in information system security,
and its collaborative activities
with industry, government, and academic organizations.
Abstract
This publication provides a catalog of security and privacy
controls for federal information
systems and organizations and a process for selecting controls
to protect organizational operations
(including mission, functions, image, and reputation),
organizational assets, individuals, other
organizations, and the Nation from a diverse set of threats
including hostile cyber attacks, natural
disasters, structural failures, and human errors. The controls are
customizable and implemented as
part of an organization-wide process that manages information
security and privacy risk. The
controls address a diverse set of security and privacy
requirements across the federal government
and critical infrastructure, derived from legislation, Executive
Orders, policies, directives,
regulations, standards, and/or mission/business needs. The
publication also describes how to
develop specialized sets of controls, or overlays, tailored for
specific types of missions/business

functions, technologies, or environments of operation. Finally,
the catalog of security controls
addresses security from both a functionality perspective (the
strength of security functions and
mechanisms provided) and an assurance perspective (the
measures of confidence in the
implemented security capability). Addressing both security
functionality and security assurance
ensures that information technology products and the
information systems built from those
products using sound systems and security engineering
principles are sufficiently trustworthy.
Keywords
Assurance; computer security; FIPS Publication 199; FIPS
Publication 200, FISMA; Privacy Act;
Risk Management Framework; security controls; security
requirements.
PAGE iii
and Organizations
_____________________________________________________
___________________________________________
Acknowledgements
This publication was developed by the Joint Task Force
Transformation Initiative Interagency

Working Group with representatives from the Civil, Defense,
and Intelligence Communities in an
ongoing effort to produce a unified information security
framework for the federal government.
The National Institute of Standards and Technology wishes to
acknowledge and thank the senior
leaders from the Departments of Commerce and Defense, the
Office of the Director of National
Intelligence, the Committee on National Security Systems, and
the members of the interagency
technical working group whose dedicated efforts contributed
significantly to the publication. The
senior leaders, interagency working group members, and their
organizational affiliations include:
Department of Defense Office of the Director of National
Intelligence
Teresa M. Takai Adolpho Tarasiuk Jr.
DoD Chief Information Officer Assistant DNI and
Intelligence Community
Chief Information Officer
Robert J. Carey Charlene Leubecker
Principal Deputy DoD Chief Information Officer Deputy
Intelligence Community Chief
Information Officer
Richard Hale Catherine A. Henson
Deputy Chief Information Officer for Cybersecurity Director,
Data Management
Dominic Cussatt Greg Hall
Deputy Director, Cybersecurity Policy Chief, Risk Management
and Information

Security Programs Division
National Institute of Standards and Technology Committee on
National Security Systems
Charles H. Romine Teresa M. Takai
Director, Information Technology Laboratory Chair, CNSS
Donna Dodson Richard Spires
Cybersecurity Advisor, Information Technology Laboratory
Co-Chair, CNSS
Donna Dodson Dominic Cussatt
Chief, Computer Security Division CNSS Subcommittee Tri-
Chair
Ron Ross Jeffrey Wilk
FISMA Implementation Project Leader CNSS Subcommittee
Tri-Chair
Richard Tannich
CNSS Subcommittee Tri-Chair
Joint Task Force Transformation Initiative Interagency Working
Group
Ron Ross Gary Stoneburner Richard Graubart Kelley
Dempsey
NIST, JTF Leader Johns Hopkins APL The MITRE
Corporation NIST
Esten Porter Bennett Hodge Karen Quigg Christian Enloe
The MITRE Corporation Booz Allen Hamilton The MITRE
Corporation NIST
Kevin Stine Jennifer Fabius Daniel Faigin Arnold Johnson
NIST The MITRE Corporation The Aerospace Corporation

NIST
Lisa Kaiser Pam Miller Sandra Miravalle Victoria Pillitteri
DHS The MITRE Corporation The MITRE Corporation NIST
In addition to the above acknowledgments, a special note of
thanks goes to Peggy Himes and
Elizabeth Lennon of NIST for their superb technical editing and
administrative support. The
authors also wish to recognize Marshall Abrams, Nadya Bartol,
Frank Belz, Deb Bodeau, Dawn
Cappelli, Corinne Castanza, Matt Coose, George Dinolt, Kurt
Eleam, Jennifer Guild, Cynthia
Irvine, Cass Kelly, Steve LaFountain, Steve Lipner, Tom
Macklin, Tim McChesney, Michael
PAGE iv
and Organizations
_____________________________________________________
___________________________________________
McEvilley, John Mildner, Joji Montelibano, George Moore,
LouAnna Notargiacomo, Dorian
Pappas, Roger Schell, Carol Woody, and the research staff from
the NIST Computer Security
Division for their exceptional contributions in helping to
improve the content of the publication.
And finally, the authors also gratefully acknowledge and
appreciate the significant contributions
from individuals, working groups, and organizations in the

public and private sectors, both
nationally and internationally, whose thoughtful and
constructive comments improved the overall
quality, thoroughness, and usefulness of this publication.
PAGE v
and Organizations
_____________________________________________________
___________________________________________
FIPS 200 AND SP 800-53
IMPLEMENTING INFORMATION SECURITY STANDARDS
AND GUIDELINES
FIPS Publication 200, Minimum Security Requirements for
Systems, is a mandatory federal standard developed by NIST in
response to FISMA. To comply with
the federal standard, organizations first determine the security
category of their information
system in accordance with FIPS Publication 199, Standards for
Security Categorization of Federal
Information and Information Systems, derive the information
system impact level from the
security category in accordance with FIPS 200, and then apply
the appropriately tailored set of
baseline security controls in NIST Special Publication 800-53,

Federal Information Systems and Organizations. Organizations
have flexibility in applying the
baseline security controls in accordance with the guidance
provided in Special Publication 800-53.
This allows organizations to tailor the relevant security control
baseline so that it more closely
aligns with their mission and business requirements and
environments of operation.
FIPS 200 and NIST Special Publication 800-53, in combination,
ensure that appropriate security
requirements and security controls are applied to all federal
information and information systems.
An organizational assessment of risk validates the initial
security control selection and determines
if additional controls are needed to protect organizational
operations (including mission,
functions, image, or reputation), organizational assets,
individuals, other organizations, or the
Nation. The resulting set of security controls establishes a level
of security due diligence for the
organization.
PAGE vi
and Organizations
_____________________________________________________
___________________________________________

DEVELOPING COMMON INFORMATION SECURITY
FOUNDATIONS
COLLABORATION AMONG PUBLIC AND PRIVATE
SECTOR ENTITIES
In developing standards and guidelines required by FISMA,
NIST consults with other federal
agencies and the private sector to improve information security,
avoid unnecessary and costly
duplication of effort, and ensure that its publications are
complementary with the standards and
guidelines employed for the protection of national security
systems. In addition to a
comprehensive public review and vetting process, NIST is
collaborating with the Office of the
Director of National Intelligence (ODNI), the Department of
Defense (DoD), and the Committee on
National Security Systems (CNSS) to establish a unified
information security framework for the
federal government. A common foundation for information
security will provide the Civil,
Defense, and Intelligence sectors of the federal government and
their contractors, more cost-
effective and consistent ways to manage information security-
related risk to organizational
operations and assets, individuals, other organizations, and the
Nation. The unified framework will
also provide a strong basis for reciprocal acceptance of
authorization decisions and facilitate
information sharing. NIST is also working with many public and
private sector entities to establish
mappings and relationships between the security standards and
guidelines developed by NIST and
the International Organization for Standardization and
International Electrotechnical Commission
(ISO/IEC).

PAGE vii
and Organizations
_____________________________________________________
___________________________________________
SECURITY REQUIREMENTS
FROM THE PERSPECTIVE OF DIFFERENT COMMUNITIES
OF INTEREST
The term security requirement is used by different communities
and groups in different ways and
may require additional explanation to establish the particular
context for the various use cases.
Security requirements can be stated at a very high level of
abstraction, for example, in legislation,
Executive Orders, directives, policies, standards, and
mission/business needs statements. FISMA
and FIPS Publication 200 articulate security requirements at
such a level.
Acquisition personnel develop security requirements for
contracting purposes that address the
protections necessary to achieve mission/business needs.
Systems/security engineers, system
developers, and systems integrators develop the security design
requirements for the information
system, develop the system security architecture and the

architecture-specific derived security
requirements, and subsequently implement specific security
functions at the hardware, software,
and firmware component level.
Security requirements are also reflected in various nontechnical
security controls that address
such matters as policy and procedures at the management and
operational elements within
organizations, again at differing levels of detail. It is important
to define the context for each use of
the term security requirement so the respective communities
(including individuals responsible for
policy, architecture, acquisition, engineering, and
mission/business protection) can clearly
communicate their intent.
Organizations may define certain security capabilities needed to
satisfy security requirements and
provide appropriate mission and business protection. Security
capabilities are typically defined by
bringing together a specific set of safeguards/countermeasures
(i.e., security controls) derived
from the appropriately tailored baselines that together produce
the needed capability.
PAGE viii
and Organizations
_____________________________________________________

___________________________________________
TECHNOLOGY AND POLICY NEUTRALITY
CHARACTERISTICS OF SECURITY CONTROLS
The security controls in the catalog with few exceptions, have
been designed to be policy- and
technology-neutral. This means that security controls and
control enhancements focus on the
fundamental safeguards and countermeasures necessary to
protect information during
processing, while in storage, and during transmission.
Therefore, it is beyond the scope of this
publication to provide guidance on the application of security
controls to specific technologies,
environments of operation, communities of interest, or
missions/business functions. Application-
specific areas are addressed by the use of the tailoring process
described in Chapter Three and the
use of overlays described in Appendix I. It should also be noted
that while the security controls are
largely policy- and technology-neutral, that does not imply that
the controls are policy- and
technology-unaware. Understanding policy and technology is
necessary so that the controls are
meaningful and relevant when implemented.
In the few cases where specific technologies are called out in
security controls (e.g., mobile, PKI,
wireless, VOIP), organizations are cautioned that the need to
provide adequate security goes well
beyond the requirements in a single control associated with a
particular technology. Many of the

needed safeguards and countermeasures are obtained from the
other security controls in the
catalog allocated to the initial control baselines as starting
points for the development of security
plans and overlays using the tailoring process. There may also
be some overlap in the protections
articulated by the security controls within the different control
families.
In addition to the customer-driven development of specialized
security plans and overlays, NIST
Special Publications and Interagency Reports may provide
guidance on recommended security
controls for specific technologies and sector-specific
applications (e.g., Smart Grid, healthcare,
Industrial Control Systems, and mobile).
Employing a technology- and policy-neutral security control
catalog has the following benefits:
• It encourages organizations to focus on the security
capabilities required for mission/business
success and the protection of information, irrespective of the
information technologies that are
employed in organizational information systems.
• It encourages organizations to analyze each security control
for its applicability to specific
technologies, environments of operation, missions/business
functions, and communities of
interest.
• It encourages organizations to specify security policies as part
of the tailoring process for security
controls that have variable parameters.

The specialization of security plans using the tailoring guidance
and overlays, together with a robust
set of technology- and policy-neutral security controls,
promotes cost-effective, risk-based
information security for organizations—in any sector, for any
technology, and in any operating
environment.
PAGE ix
and Organizations
_____________________________________________________
___________________________________________
INFORMATION SECURITY DUE DILIGENCE
MANAGING THE RISK TO ORGANIZATIONAL
MISSIONS/BUSINESS FUNCTIONS
The security controls in NIST Special Publication 800-53 are
designed to facilitate compliance with
applicable federal laws, Executive Orders, directives, policies,
regulations, standards, and
guidance. Compliance is not about adhering to static checklists
or generating unnecessary FISMA
reporting paperwork. Rather, compliance necessitates
organizations executing due diligence with
regard to information security and risk management.
Information security due diligence includes
using all appropriate information as part of an organization-
wide risk management program to

effectively use the tailoring guidance and inherent flexibility in
NIST publications so that the
selected security controls documented in organizational security
plans meet the mission and
business requirements of organizations. Using the risk
management tools and techniques that are
available to organizations is essential in developing,
implementing, and maintaining the
safeguards and countermeasures with the necessary and
sufficient strength of mechanism to
address the current threats to organizational operations and
assets, individuals, other
organizations, and the Nation. Employing effective risk-based
processes, procedures, and
technologies will help ensure that all federal information
systems and organizations have the
necessary resilience to support ongoing federal responsibilities,
critical infrastructure applications,
and continuity of government.
PAGE x
and Organizations
_____________________________________________________
___________________________________________
PRIVACY CONTROLS
PROVIDING PRIVACY PROTECTION FOR FEDERAL
INFORMATION

Appendix J, Privacy Control Catalog, is a new addition to NIST
Special Publication 800-53. It is
intended to address the privacy needs of federal agencies. The
Privacy Appendix:
• Provides a structured set of privacy controls, based on best
practices, that help organizations
comply with applicable federal laws, Executive Orders,
directives, instructions, regulations,
policies, standards, guidance, and organization-specific
issuances;
• Establishes a linkage and relationship between privacy and
security controls for purposes of
enforcing respective privacy and security requirements which
may overlap in concept and in
implementation within federal information systems, programs,
and organizations;
• Demonstrates the applicability of the NIST Risk Management
Framework in the selection,
implementation, assessment, and ongoing monitoring of privacy
controls deployed in federal
information systems, programs, and organizations; and
• Promotes closer cooperation between privacy and security
officials within the federal
government to help achieve the objectives of senior
leaders/executives in enforcing the
requirements in federal privacy legislation, policies,
regulations, directives, standards, and
guidance.
There is a strong similarity in the structure of the privacy
controls in Appendix J and the security

controls in Appendices F and G. For example, the control AR-1
(Governance and Privacy Program)
requires organizations to develop privacy plans that can be
implemented at the organizational or
program level. These plans can also be used in conjunction with
security plans to provide an
opportunity for organizations to select the appropriate set of
security and privacy controls in
accordance with organizational mission/business requirements
and the environments in which the
organizations operate. Incorporating the same concepts used in
managing information security
risk, helps organizations implement privacy controls in a more
cost-effective, risked-based manner
while simultaneously protecting individual privacy and meeting
compliance requirements.
Standardized privacy controls provide a more disciplined and
structured approach for satisfying
federal privacy requirements and demonstrating compliance to
those requirements.
PAGE xi
and Organizations
_____________________________________________________
___________________________________________
CAUTIONARY NOTE
IMPLEMENTING CHANGES BASED ON REVISIONS TO

SPECIAL PUBLICATION 800-53
When NIST publishes revisions to Special Publication 800-53,
there are four primary types of
changes made to the document: (i) security controls or control
enhancements are added to or
withdrawn from Appendices F and G and/or to the low,
moderate, and high baselines; (ii)
supplemental guidance is modified; (iii) material in the main
chapters or appendices is modified;
and (iv) language is clarified and/or updated throughout the
document.
When modifying existing tailored security control baselines at
Tier 3 in the risk management
hierarchy (as described in Special Publication 800-39) and
updating security controls at any tier as
a result of Special Publication 800-53 revisions, organizations
should take a measured, risk-based
approach in accordance with organizational risk tolerance and
current risk assessments. Unless
otherwise directed by OMB policy, the following activities are
recommended to implement
changes to Special Publication 800-53:
• First, organizations determine if any added security
controls/control enhancements are
applicable to organizational information systems or
environments of operation following
tailoring guidelines in this publication.
• Next, organizations review changes to the supplemental
guidance, guidance in the main
chapters and appendices, and updated/clarified language
throughout the publication to
determine if changes apply to any organizational information

systems and if any immediate
actions are required.
• Finally, once organizations have determined the entirety of
changes necessitated by the
revisions to the publication, the changes are integrated into the
established continuous
monitoring process to the greatest extent possible. The
implementation of new or modified
security controls to address specific, active threats is always the
highest priority for sequencing
and implementing changes. Modifications such as changes to
templates or minor language
changes in policy or procedures are generally the lowest priority
and are made in conjunction
with established review cycles.
PAGE xii
and Organizations
_____________________________________________________
___________________________________________
Table of Contents
CHAPTER ONE INTRODUCTION
.......................................................................................... 1
1.1 PURPOSE AND APPLICABILITY
...............................................................................................
... 2

1.2 TARGET AUDIENCE
...............................................................................................
................... 3
1.3 RELATIONSHIP TO OTHER SECURITY CONTROL
PUBLICATIONS .................................................... 3
1.4 ORGANIZATIONAL RESPONSIBILITIES
........................................................................................ 4
1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION
.......................................................................... 6
CHAPTER TWO THE FUNDAMENTALS
.................................................................................. 7
2.1 MULTITIERED RISK MANAGEMENT
.............................................................................................
7
2.2 SECURITY CONTROL STRUCTURE
.............................................................................................
9
2.3 SECURITY CONTROL BASELINES
.............................................................................................
12
2.4 SECURITY CONTROL DESIGNATIONS
....................................................................................... 14
2.5 EXTERNAL SERVICE PROVIDERS
............................................................................................
17
2.6 ASSURANCE AND TRUSTWORTHINESS
.................................................................................... 20
2.7 REVISIONS AND EXTENSIONS
...............................................................................................
.. 26
CHAPTER THREE THE PROCESS
...................................................................................... 28
3.1 SELECTING SECURITY CONTROL BASELINES
........................................................................... 28

3.2 TAILORING BASELINE SECURITY CONTROLS
............................................................................ 30
3.3 CREATING OVERLAYS
...............................................................................................
............. 40
3.4 DOCUMENTING THE CONTROL SELECTION PROCESS
............................................................... 42
3.5 NEW DEVELOPMENT AND LEGACY SYSTEMS
........................................................................... 44
APPENDIX A REFERENCES
............................................................................................
A-1
APPENDIX B GLOSSARY
...............................................................................................
. B-1
APPENDIX C ACRONYMS
...............................................................................................
C-1
APPENDIX D SECURITY CONTROL BASELINES –
SUMMARY ............................................... D-1
APPENDIX E ASSURANCE AND TRUSTWORTHINESS
......................................................... E-1
APPENDIX F SECURITY CONTROL CATALOG
.................................................................... F-1
APPENDIX G INFORMATION SECURITY
PROGRAMS........................................................... G-1
APPENDIX H INTERNATIONAL INFORMATION
SECURITY STANDARDS .................................. H-1
APPENDIX I OVERLAY TEMPLATE
..................................................................................... I -1
APPENDIX J PRIVACY CONTROL CATALOG
....................................................................... J-1

PAGE xiii
and Organizations
_____________________________________________________
___________________________________________
Prologue
“…Through the process of risk management, leaders must
consider risk to US interests from
adversaries using cyberspace to their advantage and from our
own efforts to employ the global
nature of cyberspace to achieve objectives in military,
intelligence, and business operations… “
“…For operational plans development, the combination of
threats, vulnerabilities, and impacts
must be evaluated in order to identify important trends and
decide where effort should be applied
to eliminate or reduce threat capabilities; eliminate or reduce
vulnerabilities; and assess,
coordinate, and deconflict all cyberspace operations…”
“…Leaders at all levels are accountable for ensuring readiness
and security to the same degree
as in any other domain…"
-- THE NATIONAL STRATEGY FOR CYBERSPACE
OPERATIONS
OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF,
U.S. DEPARTMENT OF DEFENSE

PAGE xiv
and Organizations
_____________________________________________________
___________________________________________
Foreword
NIST Special Publication 800-53, Revision 4, represents the
most comprehensive update to the
security controls catalog since its inception in 2005. The
publication was developed by NIST, the
Department of Defense, the Intelligence Community, and the
Committee on National Security
Systems as part of the Joint Task Force, an interagency
partnership formed in 2009. This update
was motivated principally by the expanding threat space—
characterized by the increasing
sophistication of cyber attacks and the operations tempo of
adversaries (i.e., the frequency of such
attacks, the professionalism of the attackers, and the persistence
of targeting by attackers). State-
of-the-practice security controls and control enhancements have
been developed and integrated
into the catalog addressing such areas as: mobile and cloud
computing; applications security;
trustworthiness, assurance, and resiliency of information
systems; insider threat; supply chain

security; and the advanced persistent threat. In addition, Special
Publication 800-53 has been
expanded to include eight new families of privacy controls
based on the internationally accepted
Fair Information Practice Principles.
Special Publication 800-53, Revision 4, provides a more holistic
approach to information security
and risk management by providing organizations with the
breadth and depth of security controls
necessary to fundamentally strengthen their information systems
and the environments in which
those systems operate—contributing to systems that are more
resilient in the face of cyber attacks
and other threats. This “Build It Right” strategy is coupled with
a variety of security controls for
“Continuous Monitoring” to give organizations near real-time
information that is essential for
senior leaders making ongoing risk-based decisions affecting
their critical missions and business
functions.
To take advantage of the expanded set of security and privacy
controls, and to give organizations
greater flexibility and agility in defending their information
systems, the concept of overlays was
introduced in this revision. Overlays provide a structured
approach to help organizations tailor
security control baselines and develop specialized security plans
that can be applied to specific
missions/business functions, environments of operation, and/or
technologies. This specialization
approach is important as the number of threat-driven controls
and control enhancements in the
catalog increases and organizations develop risk management
strategies to address their specific

protection needs within defined risk tolerances.
Finally, there have been several new features added to this
revision to facilitate ease of use by
organizations. These include:
• Assumptions relating to security control baseline
development;
• Expanded, updated, and streamlined tailoring guidance;
• Additional assignment and selection statement options for
security and privacy controls;
• Descriptive names for security and privacy control
enhancements;
• Consolidated tables for security controls and control
enhancements by family with
baseline allocations;
• Tables for security controls that support development,
evaluation, and operational
assurance; and
• Mapping tables for international security standard ISO/IEC
15408 (Common Criteria).
PAGE xv
and Organizations

_____________________________________________________
___________________________________________
The security and privacy controls in Special Publication 800-53,
Revision 4, have been designed
to be largely policy/technology-neutral to facilitate flexibility
in implementation. The controls are
well positioned to support the integration of information
security and privacy into organizational
processes including enterprise architecture, systems
engineering, system development life cycle,
and acquisition/procurement. Successful integration of security
and privacy controls into ongoing
organizational processes will demonstrate a greater maturity of
security and privacy programs and
provide a tighter coupling of security and privacy investments
to core organizational missions and
business functions.
The Joint Task Force
PAGE xvi
and Organizations
_____________________________________________________
___________________________________________
Errata
The following changes have been incorporated into Special
Publication 800-53, Revision 4.

DATE TYPE CHANGE PAGE
05-07-2013 Editorial Changed CA-9 Priority Code from P1 to
P2 in Table D-2. D-3
05-07-2013 Editorial Changed CM-10 Priority Code from P1 to
05-07-2013 Editorial Changed MA-6 Priority Code from P1 to
05-07-2013 Editorial Changed MP-3 Priority Code from P1 to
05-07-2013 Editorial Changed PE-5 Priority Code from P1 to P2
in Table D-2. D-5
05-07-2013 Editorial Changed PE-16 Priority Code from P1 to
05-07-2013 Editorial Changed PL-4 Priority Code from P1 to P2
in Table D-2. D-6
05-07-2013 Editorial Changed PS-4 Priority Code from P2 to P1
in Table D-2. D-6
05-07-2013 Editorial Changed SA-11 Priority Code from P2 to
05-07-2013 Editorial Changed SC-18 Priority Code from P1 to
05-07-2013 Editorial Changed SI-8 Priority Code from P1 to P2
in Table D-2. D-8
05-07-2013 Editorial Deleted reference to SA-5(6) in Table D-
17. D-32
05-07-2013 Editorial Deleted CM-4(3) from Table E-2. E-4
05-07-2013 Editorial Deleted CM-4(3) from Table E-3. E-5
05-07-2013 Editorial Deleted reference to SA-5(6). F-161
05-07-2013 Editorial Changed SI-16 Priority Code from P0 to
P1. F-233

01-15-2014 Editorial Deleted “(both intentional and
unintentional)” in line 5 in Abstract. iii
01-15-2014 Editorial Deleted “security and privacy” in line 5 in
Abstract. iii
01-15-2014 Editorial Changed “an initial set of baseline
security controls” to “the applicable security
control baseline” in Section 2.1, RMF Step 2.
9
01-15-2014 Editorial Deleted the following paragraph: “The
security control enhancements section
provides…in Appendix F.”
11
01-15-2014 Editorial Changed “baseline security controls” to
“the security control baselines” in Section
2.3, 2nd paragraph, line 6.
13
01-15-2014 Editorial Changed “an initial set of security
controls” to “the applicable security control
baseline” in Section 3.1, paragraph 2, line 4.
28
01-15-2014 Editorial Changed “security control baselines” to
“baselines identified in Appendix D” in
Section 3.1, paragraph 2, line 5.
28
01-15-2014 Editorial Changed “an appropriate set of baseline
controls” to “the appropriate security

control baseline” in Section 3.1, paragraph 3, line 3.
29
01-15-2014 Editorial Deleted “initial” before “security control
baseline” and added “FIPS 200” before
“impact level” in Section 3.1, paragraph 3, line 4.
29
01-15-2014 Editorial Changed “sets of baseline security
controls” to “security control baselines” in
Section 3.1, paragraph 3, line 6.
29
01-15-2014 Editorial Changed “initial set of baseline security
controls” to “applicable security control
30
31
01-15-2014 Editorial Deleted “set of” before “security controls”
in Section 3.2, Applying Scoping
Considerations, Mobility paragraph, line 1.
33
PAGE xvii

and Organizations
_____________________________________________________
___________________________________________
01-15-2014 Editorial Deleted “initial” before “set of” in Section
3.2, Applying Scoping Considerations,
Mobility paragraph, line 2.
33
01-15-2014 Editorial Changed “the baselines” to “each
baseline” in Section 3.2, Applying Scoping
33
01-15-2014 Editorial Changed “initial set of security controls”
to “security control baseline” in Section 3.2,
Applying Scoping Considerations, Mobility paragraph, line 5.
33
01-15-2014 Editorial Added “specific” before “locations” in
Section 3.2, Applying Scoping
33
01-15-2014 Editorial Changed “initial” to “three” in Section

3.2, Applying Scoping Considerations,
Mobility paragraph, line 8.
33
baseline” in Section 3.2, Selecting Compensating Security
Controls, line 10.
36
01-15-2014 Editorial Changed “a set of initial baseline security
controls” to “security control baselines” in
Section 3.3, line 1.
40
01-15-2014 Editorial Added “.” after “C.F.R” in #3, Policies,
Directives, Instructions, Regulations, and
Memoranda.
A-1
01-15-2014 Editorial Added “Revision 1 (Draft)” to NIST
Special Publication 800-52 in References. A-7
01-15-2014 Editorial Added “Configuration,” to title of NIST
Special Publication 800-52, Revision 1. A-7
01-15-2014 Editorial Changed date for NIST Special
Publication 800-52, Revision 1 to September 2013. A-7
01-15-2014 Editorial Moved definition for Information Security
Risk after Information Security Program
Plan in Glossary.
B-11

01-15-2014 Editorial Added AC-2(11) to high baseline in Table
D-2. D-2
01-15-2014 Editorial Changed AC-10 Priority Code from P2 to
01-15-2014 Editorial Changed AU-10 Priority Code from P1 to
01-15-2014 Editorial Changed IA-6 Priority Code from P1 to P2
in Table D-2. D-4
01-15-2014 Editorial Changed IR-7 Priority Code from P3 to P2
in Table D-2. D-5
01-15-2014 Editorial Deleted Program Management Controls
from Table D-2. D-8/9
01-15-2014 Editorial Deleted the following sentence at end of
paragraph:
“There is no summary table provided for the Program
Management (PM) family
since PM controls are not associated with any particular
security control baseline.”

D-9
01-15-2014 Editorial Added AC-2(12) and AC-2(13) to high
baseline in Table D-3. D-10
01-15-2014 Editorial Changed AC-17(5) incorporated into
reference from AC-17 to SI-4 in Table D-3. D-12
01-15-2014 Editorial Changed AC-17(7) incorporated into
reference from AC-3 to AC-3(10) in Table D-3. D-12
01-15-2014 Editorial Changed AC-6 to AC-6(9) in AU-2(4)
withdrawal notice in Table D-5. D-15
01-15-2014 Editorial Changed “Training” to “Scanning” in SA-
19(4) title in Table D-17. D-34
01-15-2014 Editorial Deleted SC-9(1), SC-9(2), SC-9(3), and
SC-9(4) from Table D-18. D-37
01-15-2014 Editorial Added AC-2 and AC-5 to SC-14 and
deleted SI-9 from SC-14 in Table D-18. D-37
PAGE xviii
and Organizations
_____________________________________________________
___________________________________________
01-15-2014 Editorial Deleted CA-3(5) from Table E-2. E-4
01-15-2014 Editorial Added CM-3(2) to Table E-2. E-4
01-15-2014 Editorial Added RA-5(2) and RA-5(5) to Table E-2.
E-4
01-15-2014 Editorial Deleted CA-3(5) from Table E-3. E-5

01-15-2014 Editorial Deleted bold text from RA-5(2) and RA-
5(5) in Table E-3. E-5
01-15-2014 Editorial Added CP-4(4) to Table E-4. E-7
01-15-2014 Editorial Added IR-3(1) to Table E-4. E-7
01-15-2014 Editorial Added RA-5(3) to Table E-4. E-7
01-15-2014 Editorial Deleted SA-4(4) from Table E-4. E-7
01-15-2014 Editorial Changed SA-21(1) from “enhancements”
to “enhancement” in Table E-4. E-7
01-15-2014 Editorial Deleted SI-4(8) from Table E-4. E-7
01-15-2014 Editorial Changed “risk management process” to
“RMF” in Using the Catalog, line 4. F-6
01-15-2014 Editorial Changed “an appropriate set of security
controls” to “the appropriate security
control baselines” in Using the Catalog, line 5.
F-6
01-15-2014 Editorial Deleted extraneous “,” from AC-2 g. F-7
01-15-2014 Editorial Added AC-2(11) to high baseline. F-10
01-15-2014 Substantive Added the following text to AC-3(2)
Supplemental Guidance:
“Dual authorization may also be known as two-person control.”
F-11
01-15-2014 Editorial Changed “ucdmo.gov” to “None” in AC-4
References. F-18
01-15-2014 Editorial Added “.” after “C.F.R” in AT-2
References. F-38
01-15-2014 Editorial Changed AC-6 to AC-6(9) in AU-2(4)
withdrawal notice. F-42
01-15-2014 Editorial Deleted “csrc.nist.gov/pcig/cig.html” and
added “http://” to URL in AU-2 References. F-42
01-15-2014 Editorial Changed “identify” to “identity” in AU-
6(6) Supplemental Guidance. F-46

01-15-2014 Substantive Added the following text to AU-9(5)
F-49
01-15-2014 Editorial Added “Control Enhancements: None.” to
AU-15. F-53
01-15-2014 Editorial Deleted extraneous “.” from CM-2(7)
Supplemental Guidance. F-66
01-15-2014 Editorial Added “)” after “board” in CM-3 g. F-66
01-15-2014 Substantive Added CA-7 to related controls list in
CM-3. F-66
01-15-2014 Substantive Added the following text to CM-5(4)
F-69
01-15-2014 Editorial Added “http://” to URLs in CM-6
References. F-71
01-15-2014 Editorial Added “component” before “inventories”
in CM-8(5). F-74
01-15-2014 Editorial Changed “tsp.ncs.gov” to
“http://www.dhs.gov/telecommunications-service-priority-
tsp” in CP-8 References.
F-86
01-15-2014 Substantive Added the following text to CP-9(7)
F-87
01-15-2014 Editorial Changed “HSPD 12” to “HSPD-12” and

Rubric Name Project 7 Organization Enterprise Plan and Security P.docx

Rubric Name Project 7 Organization Enterprise Plan and Security P.docx

Recommended

Recommended

More Related Content

Similar to Rubric Name Project 7 Organization Enterprise Plan and Security P.docx

Similar to Rubric Name Project 7 Organization Enterprise Plan and Security P.docx (20)

More from SUBHI7

More from SUBHI7 (20)

Recently uploaded

Recently uploaded (20)

Rubric Name Project 7 Organization Enterprise Plan and Security P.docx