The federal government agencies abide by policy and law based on their relationships with other federal entities, as well as rules and regulations placed on the agency from its chain of authority. In relation to the obligations imposed on each federal entity, agencies must specifically define and outline requirements for their information systems to adhere to privacy and security regulations and policies. Respecting applicable rules and policies necessitates that requirements be stated from the broadest federal department level all the way down to the information system and user level.
Regulations set forth for privacy and security may be driven by existing laws, presidential executive orders such as Executive Order 14028 “Improving the Nation’s Cybersecurity”, directives, policies, and stakeholder requirements from within that agency, or from outside of the federal departments as well. The scope of maintaining security requirements is constantly evolving and growing due to an aggressive and adversarial cybersecurity environment, and therefore, assessment and iterative modifications must be a consistent and continuous effort. However, at any given time, a federal agency’s present condition of requirements will provide a snapshot for determining the specific and immediate requirements to achieve compliance.
The NIST Special Publication 800-53 security controls framework is divided into three categories of requirements to help define the specific capabilities required by each control:
- Capability requirement: “a capability that the system or organization must provide to satisfy a stakeholder protection need.”
- Specification requirement: “Requirements that pertain to a particular hardware, software, and firmware components of a system…”
- Statement of work requirements: “Requirements that refer to actions that must be performed operationally or during system development.”
