Implementing Cybersecurity

Anne Kohnke • Ken Sigler • Dan Shoemaker

◾ The activities and tasks that make up the security control selection step of the
National Institute of Standards and Technologies (NIST) Risk Management
Framework (RMF)
◾ Appropriate usage of FIPS 200 in establishing a set of minimum security
requirements
◾ Appropriate usage of NIST SP 800-53 as a means of establishing an initial
security control baseline, tailoring security controls, and establishing minimum assurance requirements
◾ The most appropriate way to document security controls in a security plan
◾ What other control libraries are available for organizations to use in selecting
the most appropriate security controls
A security program, whether at the organization or system level, should
include an appropriate mixture of security controls: management, operational,
and technical. Management controls are techniques that are normally addressed
by management in the organization’s information and communication technology
(ICT) security program and focus on managing the entire program and identified
risks that may inhibit the organization’s ability to mitigate threats and vulner-
abilities. Operational controls are those that are operated by people, as opposed to
a technology or systems. These controls often depend on the technical expertise
of network and security teams in addition to other management and technical
controls. Technical controls are those that the system executes.
Unfortunately, many organizations stop short of selecting the proper mix of
management, operational, and technical controls, allocating their entire security
budget on just those technical aspects of ICT security that will limit exploitation
and potentially cost the most in damages. However, relying on just technical con-
trols will be insufficient and justifiably cost the organization even more money
without the complementary management and operational controls in place. For
example, an organization may choose to install the most robust firewall on the
market; however, if it does not have the proper access privileges in place and in turn
allows unrestricted internet access to and from the network, that organization will
be prone to significant vulnerabilities.
The number and type of appropriate security controls vary throughout a sys-
tem’s life cycle and are selected based on the organization’s understanding of
the results of security impact analysis that should be performed before selection
of controls begins. Thus, relative maturity of an organization’s enterprise archi-
tecture and security program will have a significance influence on the types of
appropriate security controls. The blend of security controls is tied to the mission
of the organization and the role of the system within the organization as it sup-
ports that mission. Recall from our discussion in Chapter 3 that one of the first
objectives of the RMF security categorization process is to understand the mis-
sion and objectives of the organization. ICT security impacts that mission and
the defined objectives.
In Chapter 1, we emphasized that risk management is the process used to iden-
tify an effective mix of management, operational and technical security controls
to mitigate risk to a level acceptable to the responsible senior official. Although it
may be tempting to simply pick a product off the shelf, using a risk management
process to choose the most effective blend of controls enhances an organization’s
security posture.
Chapter 3 introduced the activities and tasks performed in the first step
(Security Classification) of the NIST RMF. In this chapter, we will begin with a
conceptualization of security control selection. Next, FIPS 200, Minimum Security
Requirements for Federal Information and Information Systems will be introduced as
a means for understanding the task of establishing security boundaries and identi-
fication of minimum security requirements. The major focus of this chapter centers
on the tables available in NIST 800-60, Guide for Mapping Types of Information
and Information Systems to Security Categories (Stine et al., 2008) and FIPS 199 as
a means of implementing the security categorization and information classification
process of the NIST RMF