Recommended Security Controls for Federal Information Systems, High-Imapct Baseline. Annex 3 to NIST Special Publication 800-53-Revision 2

摘要

Organizations are required to employ security controls to meet security requirements defined by applicable laws, Executive Orders, directives, policies, standards, or regulations (e.g., Federal Information Security Management Act, OMB Circular A-130, Appendix III). The challenge for organizations is to determine the appropriate set of security controls, which if implemented and determined to be effective in their application, would most cost-effectively comply with the stated security requirements. Selecting the appropriate set of security controls to meet the specific, and sometimes unique, security requirements of an organization is an important taska task that demonstrates the organizations commitment to security and the due diligence exercised in protecting the confidentiality, integrity, and availability of its information and information systems. The ultimate objective is to implement information systems that are dependable in the face of threats. To assist organizations in making the appropriate selection of security controls for their information systems, the concept of baseline controls is introduced. Baseline controls are the initial security controls recommended for an information system based on the systems security categorization in accordance with FIPS 199.1 Table 1 provides a summary of the security controls and control enhancements in the low-impact baseline from Appendix D, NIST Special Publication 800-53. Part one follows, containing the full descriptions of the controls and associated enhancements listed in the table. Part two provides the minimum assurance requirements for low-impact information systems from Appendix E, NIST Special Publication 800-53.