eMASS assigns a criticality rating of white, yellow, or red to controls. It's currently unclear to me how DoD determined the assignment of criticality rating for each control. It does not (nor should) correspond to the NIST Priority Code P1 - P3 assignments (P0 is for controls that are not assigned in any baseline). For example, AC-2 is yellow in eMASS but it is a P1 in NIST SP 800-53. I think this makes sense, since the NIST P codes are used for sequencing versus criticality (e.g. AC-1, do your access control policy and procedures 1st, and then track unsuccessful login attempts (AC-7) and then control concurrent sessions (AC-10).
Here's the section from NIST SP 800-53 concerning Priority Codes:
The priority and security control baseline allocation section provides: (i) the recommended priority codes used for sequencing decisions during security control implementation; and (ii) the initial allocation of security controls and control enhancements to the baselines. Organizations can use the priority code designation associated with each security control to assist in making sequencing decisions for control implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control, a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control, and a Priority Code 0 [P0] indicates the security control is not selected in any baseline). This recommended sequencing prioritization helps to ensure that the foundational security controls upon which other controls depend are implemented first, thus enabling organizations to deploy controls in a more structured and timely manner in accordance with available resources. The implementation of security controls by sequence priority code does not imply the achievement of any defined level of risk mitigation until all of the security controls in the security plan have been implemented. The priority codes are intended only for implementation sequencing, not for making security control selection decisions.
Here's the section from NIST SP 800-53 concerning Priority Codes:
The priority and security control baseline allocation section provides: (i) the recommended priority codes used for sequencing decisions during security control implementation; and (ii) the initial allocation of security controls and control enhancements to the baselines. Organizations can use the priority code designation associated with each security control to assist in making sequencing decisions for control implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control, a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control, and a Priority Code 0 [P0] indicates the security control is not selected in any baseline). This recommended sequencing prioritization helps to ensure that the foundational security controls upon which other controls depend are implemented first, thus enabling organizations to deploy controls in a more structured and timely manner in accordance with available resources. The implementation of security controls by sequence priority code does not imply the achievement of any defined level of risk mitigation until all of the security controls in the security plan have been implemented. The priority codes are intended only for implementation sequencing, not for making security control selection decisions.
No comments:
Post a Comment