One of the first steps in the initiation of an 800-53 assessment is the responsibility of the organization’s system owner. Based on the Risk Management Framework selected for the assessment (such as the NIST 800-53) the system owner will categorize the goals for the IT systems around the level system requirements for:
- Confidentiality
- Integrity
- Availability.
The system owner will categorize, around the organization’s cybersecurity goals, the required level of security for each of these categories as Low, Medium, or High. Once the security level has been determined, SteelToad’s assessors will know what security controls must be mapped to the organization’s processes. The NIST Special Publication (SP) 800-53B, Control Baselines for Information Systems and Organizations, provides security and privacy control baselines for the Federal Government.
In NIST 800-53r5, there are 20 security controls families. However, if an organization determines that the system’s security level required is “low”, NIST Special Publication (SP) 800-53B control baseline then SteelToad assessors will assess 149 security controls within each 800-53 family, to assess compliance indicating a “low” security level. Conversely, if a system requires a “high” level of security, SteelToad assessors will assess 370 security controls to the system’s processes. Medium control baselines include a total of 287 controls.
The amount of security controls that a SteelToad assessor will assess for the organization is influenced by the organization’s security level requirements baseline (high, medium, or low). SteelToad’s assessors will assess the security controls on the federal organization’s system to the 800-53 standards based on the impact levels specified and required by the organization’s system owner.
