Control Correlation Identifiers (CCI) are individual, measurable statements which define the discreet tasks or criteria necessary to evaluate a NIST SP 800-53 security control. DoDI 8500.01, "Cybersecurity," 14 March, 2014, defines a CCI as:
"CCI. Decomposition of an NIST control into single, actionable, measureable statement."
Each CCI has Implementation Procedures (performed by the ISO/PM/ISSO) and Assessment Procedures (performed by the SCA-V). For example, the AC-1 control has 10 CCIs that are derived from the NIST SP 800-53A text. DoD uses CCIs to map the assessment procedures specified in NIST SP 800-53A in eMASS. There are "n" many assessment procedures for each control (1 or 15 or more). DISA IASE STIGs and SRGs associate vulnerability checks with CCIs. See the DISA IASE web site for a mapping file (U_CCI_List.XML, last update 2016-06-27) which associates each CCI with a NIST SP 800-53 control and 800-53A assessment procedure. Unmapped STIG and SRG checks are assigned to the CM-6 control.
Note there will be case in a STIG or SRG assessment where a check will not map to a control for the system being assessed in eMASS. This can happen when the security categorization level of the system is such that the control is not selected at that categorization per CNSSI 1253. See other blog post for further information.
"CCI. Decomposition of an NIST control into single, actionable, measureable statement."
Each CCI has Implementation Procedures (performed by the ISO/PM/ISSO) and Assessment Procedures (performed by the SCA-V). For example, the AC-1 control has 10 CCIs that are derived from the NIST SP 800-53A text. DoD uses CCIs to map the assessment procedures specified in NIST SP 800-53A in eMASS. There are "n" many assessment procedures for each control (1 or 15 or more). DISA IASE STIGs and SRGs associate vulnerability checks with CCIs. See the DISA IASE web site for a mapping file (U_CCI_List.XML, last update 2016-06-27) which associates each CCI with a NIST SP 800-53 control and 800-53A assessment procedure. Unmapped STIG and SRG checks are assigned to the CM-6 control.
Note there will be case in a STIG or SRG assessment where a check will not map to a control for the system being assessed in eMASS. This can happen when the security categorization level of the system is such that the control is not selected at that categorization per CNSSI 1253. See other blog post for further information.
No comments:
Post a Comment