Description of Security Controls and Families

The NIST 800-53 Security Controls specify the administrative, technical, and physical processes and safeguards that systems must follow. To ensure clarity in defining each security control, there is a structure as to how the 800-53 security controls are communicated; NIST presents each security control in a format to includes its definition, a brief explanation, and related and relevant references. To give users clarity, sets of security controls are organized into security control families.

There are 20 Security Control Families in NIST 800-53. Families are made up of Base Controls and Enhanced Controls. Base Controls provide the minimum standard in the family of controls, and Enhanced Controls define extra security features and capabilities that “improve the Base Control.” An Enhanced Control expands on a base control by adding functionality to it, but it does not affect the Base Control itself.

The following is an example of how NIST 800-53 presents and explains its Security Controls. Also shown, to help clarify the standard, is supplementary defining and relevant information related to the specific Security Control.

The NIST SP 800-53 Security Control, communicated in the “template” shown above, includes pertinent information for each security control, as follows:

  • NIST 800-53 Base Control Section: This section will define the base security or privacy control that is required by organizations. The Base Control does not specify how an organization will implement a system to meet the requirements. Instead, it defines the control and allows the organization to satisfy the base control in a manner that works within the organization’s environment.
  • NIST 800-53 Discussion Section: This section further discusses the Base Control, and its purpose, and frequently includes examples of the Base Control. The discussion provides details for organizations to take in deciding the implementation required to address the Base Control.
  • NIST 800-53 Related Controls Section: This section contains a list of controls that are related to the Base Control in a supportive or affecting way. It serves as a reference for the company to understand the relationship and impact of the Base Control and Related Controls.
  • NIST 800-53 Control Enhancements Section: This section, Enhancement Controls, contains the capability of how to improve the Base Control. These are capabilities that will supplement, rather than replace, the Base Control. An Enhanced Control does not exist without being connected to a Base Control, so the Base Control must be fully operational before the Enhanced Control may be implemented.
  • NIST 800-53 References Section: This section describes all applicable rules, laws, policies, and references for the Controls’ greater clarification and reference.
  • NIST 800-53 Organizational Defined Parameters: This section defines the capability which allows organizations to add parameters to existing controls that help enhance the security controls of their specific organizations “by assignment and selection operations.” Additional parameters may help organizations meet specific executive orders, regulations, policies, stakeholder needs, or specific risks related to the organization. These enhanced parameters may be embedded directly into the security control to help an organization’s specific security needs. Parameters are designated by brackets and included in the Security Control description.

Share this post
Facebook
Twitter
YouTube
LinkedIn
Share
Instagram

Related Posts

Cyber Security
The Unseen War in Cyberspace – Navy Turns Towards Cyber Security Studies
SteelToad OP
Cyber Security
Facial Recognition Technology – A Slippery Slope
SteelToad OP
Cyber Security
10 Reasons an Organization Should Have CMMC Certification
SteelToad OP

LOCK IT DOWN

We've Locked Down our processes. So we can Lock Down yours.

Get Free Consultation