boldtext indicates the delta from the low baseline (i.e., the assurance-related controls added to the low baseline to produce the increased level of assurance in the moderate baseline).
102 NIST Special Publication 800-53A provides additional information on depth and coverage in security control assessments.
103 The assurance-related controls in Table E-3 are a subset of the security controls contained in the security control baseline for high-impact systems in Appendix D. Implementing the assurance-related controls in Table E-3 (including depth/coverage security evidence from NIST Special Publication 800-53A) will satisfy the minimum assurance requirements for high-impact systems mandated by FIPS Publication 200. The bold text indicates the delta from the moderate baseline (i.e., the assurance-related controls added to the moderate baseline to produce the increased level of assurance in the high baseline).
104 The assurance-related controls in Table E-4 represent the additional security controls needed to achieve enhanced levels of assurance (i.e., the controls needed to go beyond the minimum assurance levels that are represented by the assurance-related controls in Tables E-1, E-2, and E-3). When an assurance-related control is allocated to a baseline (i.e., listed in Tables E-1, E-2, or E-3), but all of its control enhancements are in Table E-4, it is designated in the table as Control (all enhancements). When an assurance-related control and all of its control enhancements are not allocated to baselines, it is designated in the table as Control (plus enhancements). When assurance-related control enhancements from a particular control are allocated to one of the baselines, the remaining unselected control enhancements are listed individually in Table E-4.
105 An online version of the catalog of security controls is also available at http://web.nvd.nist.gov/view/800-53/home.
106 Compliance necessitates organizations executing due diligence with regard to information security and risk management. Information security due diligence includes using all appropriate information as part of an organization-wide risk management program to effectively use the tailoring guidance and inherent flexibility in NIST publications so that the selected security controls documented in organizational security plans meet the specific mission and business requirements of organizations. Using the risk management tools and techniques that are available to organizations is essential in developing, implementing, and maintaining the safeguards and countermeasures with the necessary and sufficient strength of mechanism to address the current threats to organizational operations and assets, individuals, other organizations, and the Nation. Employing effective risk-based processes, procedures, and technologies will help ensure that all federal information systems and organizations have the necessary resilience to support ongoing federal responsibilities, critical infrastructure applications, and continuity of government.
107 The security controls in Special Publication 800-53 are available online and can be downloaded in various formats from the NIST web site at: http://web.nvd.nist.gov/view/800-53/home.
108 CNSS Instruction 1253 provides guidance for security categorization of national security systems.
109 CNSS Instruction 1253 provides guidance on security control baselines for national security systems and specific tailoring requirements associated with such systems.
110 There are additional security controls and control enhancements that appear in the catalog that are not used in any of the initial baselines. These additional controls and control enhancements are available to organizations and can be used in the tailoring process to achieve the needed level of protection in accordance with organizational risk assessments.
111 Common controls are those security controls that are inheritable by one or more organizational information systems, and thus are separate and distinct from information security program management controls.
112 Assessment procedures for program management controls and common controls can be found in NIST Special Publication 800-53A.
113 ISO/IEC 27001 was published in October 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
114 ISO/IEC 15408 was published in September 2012 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
115The use of the term XX-1 controls in mapping Table H-2 refers to the set of security controls represented by the first control in each family in Appendix F, where XX is a placeholder for the two-letter family identifier.
116 Tailored baselines produced using the concept of overlays can be published independently in a variety of venues and publications including, for example, OMB policies, CNSS Instructions, NIST Special Publications, industry standards, and sector-specific guidance. As part of the overlay initiative, the previous guidance in Appendix I regarding industrial and process control system security will be transferred to NIST Special Publication 800-82.
117 While organizations are encouraged to use the overlay concept to tailor security control baselines, generating widely divergent overlays on the same topic may prove to be counterproductive. The overlay concept is most effective when communities of interest work together to create consensus-based overlays that are not duplicative.
118 CNSS Instruction 1253 provides security categorization guidance and security control baselines for national security systems.
119 OMB Memorandum 07-16 defines PII as information which can be used to distinguish or trace an individual’s identity such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. OMB Memorandum 10-22 further states that “the definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified by examining the context of use and combination of data elements. In performing this assessment, it is important for agencies to recognize that non-PII can become PII, whenever additional information is made publicly available, in any medium and from any source that, when combined with other available information, could be used to identify an individual.” NIST Special Publication 800-122 also includes a definition of PII that differs from this appendix because it was focused on the security objective of confidentiality and not privacy in the broad sense. Organizational definitions of PII may vary based on the consideration of additional regulatory requirements. The privacy controls in this appendix apply regardless of the definition of PII by organizations.
120 In 2010, the Federal CIO Council Privacy Committee issued a framework for designing and implementing a privacy program entitled Best Practices: Elements of a Federal Privacy Program (Elements White Paper). The privacy controls in this appendix mirror a number of the elements included in the paper. Organizations can use the privacy controls and the guidance in the paper to develop an organization-wide privacy program or enhance an already existing program.
121 The FIPPs are widely accepted in the United States and internationally as a general framework for privacy and are reflected in other federal and international laws and policies. In a number of organizations, FIPPs serve as the basis for analyzing privacy risks and determining appropriate mitigation strategies. The Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP) also provided information and materials in development of the privacy controls.
122 All federal agencies and departments designate an SAOP/CPOas the senior organizational official with the overall organization-wide responsibility for information privacy issues. OMB Memorandum 05-08 provides guidance for the designation of SAOPs/CPOs. The term SAOP/CPO as used in this appendix means an organization’s senior privacy leader, whose job title may vary from organization to organization.
123 Organizations enter into Computer Matching Agreements in connection with computer matching programs to which they are a party. With certain exceptions, a computer matching program is any computerized comparison of two or more automated systems of records or a system of records with nonfederal records for the purpose of establishing or verifying the eligibility of, or continuing compliance with, statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to cash or in-kind assistance or payments under federal benefit programs or computerized comparisons of two or more automated federal personnel or payroll systems of records or a system of federal personnel or payroll records with nonfederal records. See Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a (a)(8)(A).
124 The Information Sharing Environment is an approach that facilitates the sharing of terrorism and homeland security information. The ISE was established by the Intelligence Reform and Terrorism Prevention Act of 2004, Public Law 108-458, 118 Stat. 3638. See the ISE website at: http://www.ise.gov.