Per NIST SP 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," Rev 4, April 2013, there are 18 control families:
Adding the overlays adds:
The definition of PHI involves evaluating conditions list in HIPAA.
Guidance determining the PII confidentiality impact level, see NIST SP 800-122. Also see DoD Form 2930.
Applying inheritance to eMASS records:
Army Policy Record (System 304): 27 controls, 435 assessment procedures. Note this was recently (10/2019) split into two records, Tier 1 and 2 (Tier 1 is DoD, Tier 2 Army). DoD Tier 1 Common Control Provider (DoD Tier1 CCP, 204, Army) provides 429 CCIs. Army Tier 2 Common Control Provider (Army Tier2 CCP, 3584, Army) provides 143 CCIs.
Army Research Lab (ARL) CCSP (manual inheritance): 120 CCIs: CA (15), CM (3), IR (39), PM (1), RA (14), SC (1), SI (47). However, current analysis of the AGCC-R eMASS record indicates 93 CCIs.
Microsoft Azure Impact Level 4 (System 809): 92 controls, 356 assessment procedures
AWS GovCloud IaaS (IL4) (AWS GovCloudIaaS (L4), 657, CLOUD) provides 97 assessment procedures.
For a DoD CC SRG IL 4 system, total inheritable CCIs: 761 leaving residual CCIs are 860 for assessment by the mission owner.
AC Access Control
AT Awareness and Training
AU Audit and Accountability
CA Security Assessment and Authorization
CM Configuration Management
CP Contingency Planning
IA Identification and Authentication
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
PL Planning
PS Personnel Security
RA Risk Assessment
SA System and Services Acquisition
SC System and Communications Protection
SI System and Information Integrity
PM Program Management
The first 17 align with FIPS 200, while the 18th (PM) aligns with FISMA requirements.
NIST SP 80053 Rev 4, Appendix J, PRIVACY CONTROL CATALOG PRIVACY CONTROLS, ENHANCEMENTS, AND SUPPLEMENTAL GUIDANCE, adds 8 more control families. The number in parenthesis is the number of controls in the family:
AP Authority and Purpose (2)
AR Accountability, Audit, and Risk Management (8)
DI Data Quality and Integrity (2)
DM Data Minimilization and Retention (3)
IP Individual Participation and Redress (4)
SE Security (2)
TR Transparency (3)
UL Use Limitation (2)
The number of controls and CCIs per family per impact level (Low, Moderate, High). The following information was obtained using the RMFKS Security Controls Explorer:
| | Controls | CCIs |
| {H,H,H} | 478 | |
| {H,H,M} | 457 | |
| {H,H,L} | 435 | |
| {H,M,H} | 463 | |
| {H,M,M} | 440 | |
| {H,M,L} | 418 | |
| {H,L,H} | 443 | |
| {H,L,M} | 420 | |
| {H,L,L} | 393 | |
| {M,H,H} | 475 | |
| {M,H,M} | 454 | |
| {M,H,L} | 432 | |
| {M,M,H} | 446 | |
| {M,M,M} | 403 1624 | |
| {M,M,L} | 381 | |
| {M,L,H} | 426 | |
| {M,L,M} | 383 | |
| {M,L,L} | 356 | |
| {L,H,H} | 469 | |
| {L,H,M} | 448 | |
| {L,H,L} | 426 | |
| {L,M,H} | 440 | |
| {L,M,M} | 397 | |
| {L,M,L} | 375 | |
| {L,L,H} | 397 | |
| {L,L,M} | 354 | |
| {L,L,L} | 310 | |
Adding the overlays adds:
| Classified Systems | 33 |
| PII Low Confidentiality Impact | 32 |
| PII Moderate Impact | 47 |
| PII High Confidentiality Impact | 49 |
| Protected Health Information (PHI) | 40 |
The definition of PHI involves evaluating conditions list in HIPAA.
Guidance determining the PII confidentiality impact level, see NIST SP 800-122. Also see DoD Form 2930.
Applying inheritance to eMASS records:
Army Policy Record (System 304): 27 controls, 435 assessment procedures. Note this was recently (10/2019) split into two records, Tier 1 and 2 (Tier 1 is DoD, Tier 2 Army). DoD Tier 1 Common Control Provider (DoD Tier1 CCP, 204, Army) provides 429 CCIs. Army Tier 2 Common Control Provider (Army Tier2 CCP, 3584, Army) provides 143 CCIs.
Army Research Lab (ARL) CCSP (manual inheritance): 120 CCIs: CA (15), CM (3), IR (39), PM (1), RA (14), SC (1), SI (47). However, current analysis of the AGCC-R eMASS record indicates 93 CCIs.
Microsoft Azure Impact Level 4 (System 809): 92 controls, 356 assessment procedures
AWS GovCloud IaaS (IL4) (AWS GovCloudIaaS (L4), 657, CLOUD) provides 97 assessment procedures.
For a DoD CC SRG IL 4 system, total inheritable CCIs: 761 leaving residual CCIs are 860 for assessment by the mission owner.
NIST SP 800-53 Rev 5.
20 Families (Access Control, Awareness and Training, Audit and Accountability, Assessment, Authorization, and Monitoring, Configuration Management, Contingency Planning, Identification and Authentication, Incident Response, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Planning, Program Management, Personnel Security, PII Processing and Transparency, Risk Assessment, System and Services Acquisition, System and Communications Protection, System and Information Integrity, Supply Chain Risk Management.
NIST SP 800-171 Rev 2.
110 controls. 14 Families (Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communication Protection, System and Information.
ISO 27001:2021.
93 controls. Organizational Controls (37), People Controls (8), Physical Controls (14), and Technological Controls (34).
HIPAA.
TBD.
References:
- NIST SP 800-37 Rev 4, "Security and Privacy Controls for Federal Information Systems and Organizations," April 2013
- RMF Knowledge Service Security Controls Explorer
- https://dodcio.defense.gov/Portals/0/Documents/Panel%202.pdf
No comments:
Post a Comment