The document outlines the categorization, implementation, and assessment of security controls for information systems according to NIST standards, particularly NIST SP 800-53 and SP 800-37. It emphasizes the importance of selecting appropriate controls based on data sensitivity and provides guidance on developing an information system security plan. The document also discusses the concept of compensating security controls for risk management in various security baselines.

2. Categorize
Select
Implement
Assess
Authorize
Monitor

4. Categorize
Select
Implement
Assess
Authorize
Monitor

12.  NIST SP 800-53

15. Data Type
Data
Description Data Sensitivity

16. Data Type Confidentiality Integrity Availability
Personal Identity and Authentication Moderate Moderate Moderate
Help Desk Services Low Low Low
Budget & Finance Moderate Moderate Low
Accounting Low Moderate Low
Space Operations Low High High
High Watermark Moderate High High
Overall High Watermark High

31. NSTISSI No. 1000

34. NIST SP 800-18 Rev 1

38. Appendix A:
Sample Information System Security Plan Template

39. NSTISSI No. 1000

41. Plan Initiation
Plan
Development
Plan
Implementation
Plan
Maintenance
Recertification
or Retirement

47. System 1
Subsystem A
Subsystem B
Subsystem C

49. Information Criteria Security Impact
Confidentiality Low / Moderate / High
Integrity Low / Moderate / High
Availability Low / Moderate / High
Based on: NIST SP 800-60 and FIPS Pub 199

54. Common
Controls
System-
specific
Controls
Hybrid
Controls
NIST SP 800-37 Rev 1

58. “Compensating security controls are the management,
operational, or technical controls used by an agency in
lieu of prescribed controls in the low, moderate, or high
security control baselines, which provide equivalent or
comparable protection for an information system.”
Source: NIST SP 800-100 § 8.4.4

59. 1
• Select controls from 800-53
2
• Complete and convincing rationale
3
• Assess and formally accept risk

60. 1
• Agency has developed on documented common controls
2
• Agency has assigned responsibility of the common control
3
• Systems owners should be made aware
4
• Expert in the common control consulted
5
• Agency, Campus or Center Common Control

64. Source: NIST SP 800-100 § 8.4.1

65. Criteria Rating
Confidentiality Moderate
Availability Low
Integrity Low