Part 7 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).

2. Categorize
Select
Implement
Assess
Authorize
Monitor

4. Categorize
Select
Implement
Assess
Authorize
Monitor

12.  NIST SP 800-53

15. Data Type
Data
Description Data Sensitivity

16. Data Type Confidentiality Integrity Availability
Personal Identity and Authentication Moderate Moderate Moderate
Help Desk Services Low Low Low
Budget & Finance Moderate Moderate Low
Accounting Low Moderate Low
Space Operations Low High High
High Watermark Moderate High High
Overall High Watermark High

31. NSTISSI No. 1000

34. NIST SP 800-18 Rev 1

38. Appendix A:
Sample Information System Security Plan Template

39. NSTISSI No. 1000

41. Plan Initiation
Plan
Development
Plan
Implementation
Plan
Maintenance
Recertification
or Retirement

47. System 1
Subsystem A
Subsystem B
Subsystem C

49. Information Criteria Security Impact
Confidentiality Low / Moderate / High
Integrity Low / Moderate / High
Availability Low / Moderate / High
Based on: NIST SP 800-60 and FIPS Pub 199

54. Common
Controls
System-
specific
Controls
Hybrid
Controls
NIST SP 800-37 Rev 1

58. “Compensating security controls are the management,
operational, or technical controls used by an agency in
lieu of prescribed controls in the low, moderate, or high
security control baselines, which provide equivalent or
comparable protection for an information system.”
Source: NIST SP 800-100 § 8.4.4

59. 1
• Select controls from 800-53
2
• Complete and convincing rationale
3
• Assess and formally accept risk

60. 1
• Agency has developed on documented common controls
2
• Agency has assigned responsibility of the common control
3
• Systems owners should be made aware
4
• Expert in the common control consulted
5
• Agency, Campus or Center Common Control

64. Source: NIST SP 800-100 § 8.4.1

65. Criteria Rating
Confidentiality Moderate
Availability Low
Integrity Low