Text

CSO-PROS-7002_Security_Control_Tailoring_Process
	ML22080A052
Person / Time
Issue date:	11/01/2020
From:	Jonathan Feibus; NRC/OCIO
To:	;
Shared Package
ML22077A369	List: ML22077A390; ML22077A396; ML22077A398; ML22077A405; ML22080A023; ML22080A024; ML22080A025; ML22080A029; ML22080A035; ML22080A038; ML22080A040; ML22080A042; ML22080A044; ML22080A046; ML22080A052; ML22080A055; ML22080A060; ML22080A061;
References
	CSO-PROS-7002
	Download: ML22080A052 (15)
	v • d • e

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-7002 Office Instruction

Title:

Security Control Tailoring Process Revision Number:

1.1 Effective Date:

November 1, 2020 Primary Contacts:

Jonathan Feibus Responsible Organization: OCIO

==

Description:==

CSO-PROS-7002, Security Control Tailoring Process, defines the process for tailoring the NIST 800-53 security controls baseline to align more closely with the mission, function, and environment of operation for the NRC system/subsystem.

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-7002 Page i Table of Contents 1

PURPOSE............................................................................................................................................. 1 2

GENERAL REQUIREMENTS............................................................................................................... 1 Identifying and Designating Common Controls............................................................................. 2 Applying Scoping Considerations................................................................................................. 2 Selecting Compensating Security Controls................................................................................... 2 Supplementing Baselines with Additional Security Controls......................................................... 2 3

SPECIFIC REQUIREMENTS................................................................................................................ 2 Common Controls......................................................................................................................... 3 Privacy Controls............................................................................................................................ 3 Physical and Environmental Controls........................................................................................... 3 Controls deemed as Not Applicable.............................................................................................. 3 Controls Provided by the Cloud Service Provider......................................................................... 3 Compensating and or Supplementing Baselines.......................................................................... 3 4

SUBMITTAL-APPROVAL PROCESS................................................................................................. 4 APPENDIX A CONTROL TAILORING WORKSHEET........................................................................... 5

CSO-PROS-7002 Page 1 Computer Security Process CSO-PROS-7002 Security Control Tailoring Process 1 PURPOSE CSO-PROS-7002, Security Control Tailoring Process, defines the methodology by which an NRC information system security control baseline can be modified.

The implementation of control tailoring helps to ensure that security and privacy controls are customized for the specific missions, business functions, risks, and operating environments of the system. Ultimately, NRC uses the tailoring process to achieve cost-effective, risk-based security that supports NRCs mission/business needs. The information contained in this document is intended to be used by the system owner, the information system security officer (ISSO), and the information assurance (IA) support team. This process does not apply to classified or SGI systems This process reflects what the NRC security program is currently implementing and applies to established systems and subsystems. The NRC is in the process of developing an information security architecture (ISA) that will encompass the enterprise and business processes. Once the ISA is completed, all affected processes will be modified accordingly.

2 GENERAL REQUIREMENTS There are two approaches defined by NIST that can be used for the initial selection of security controls prior to tailoring activities: a baseline control selection, or an organization-generated control selection.

At the NRC, the baseline control selection approach is applied using the NIST 800-53 Rev 4 initial security baselines (low-impact, moderate-impact, and high-impact) as the starting point.

Security controls in the initial baselines represent a system-wide set of controls that may not be applicable to every component in the system.

After selecting the applicable NRC security control baseline from NIST 800-53 Rev 4, Appendix D, the tailoring process is initiated to allow the system owner or designee to ensure that the selected controls provide sufficient safeguards based on the systems role in supporting the Agencys mission, business function, unique risk considerations, and operational environment.

The tailoring process includes the following tasks described in the subsequent sections of this document:

Identifying and designating common controls in initial security control baselines Applying scoping considerations to the remaining baseline security controls Selecting compensating controls, if needed

CSO-PROS-7002 Page 2 Supplementing baselines with additional controls, if needed Identifying and Designating Common Controls Common controls are controls that may be inherited by the Agency or by another Agency information system and therefore do not need to be addressed at the system level. Agencies can have multiple common control providers depending on how security and privacy responsibilities are allocated agencywide. For more information, refer to CSO-STD-0021, Common and Hybrid Security Control Standard.

Applying Scoping Considerations Initial security baselines are based on the information types stored, processed, and transmitted by the system/subsystem. Scoping considerations when tailoring out security controls helps to ensure that the security controls that remain in the initial baseline provide adequate protections based on the systems mission, business function, operational environment, and the systems risk tolerance.

For example, a system/subsystem consisting of components such as printers, scanners, smart phones, tablets, etc. may lack the capabilities assumed in the initial security control baseline and therefore, do not apply. Another example would be if a system/subsystem does not process, store or transmit privacy information, the privacy controls can be scoped out of the baseline.

Selecting Compensating Security Controls Compensating controls are alternative security controls implemented by a system/subsystem in lieu of those in the initial security baselines. The compensating controls provide equal or comparable protection in situations when controls from the baseline either cant be met because of technical limitations or when control implementation is not cost-effective. When selecting compensating controls, rationale must be provided in the system security plan as to how the control provides equivalent security and why the baseline control could not be employed.

Supplementing Baselines with Additional Security Controls In certain situations, additional security controls or control enhancements beyond those controls in the initial security control baselines may be warranted to address specific threats to the system based on an assessment of risk. A gap analysis can be conducted to determine the required capabilities and levels of preparedness based on threat information.

3 SPECIFIC REQUIREMENTS Once the Security Categorization of the NRC system/subsystem has been determined, the initial security control baseline is assigned based on low, moderate or high impact levels. At this point, tailoring activities can take place and must be approved by the Authorizing Official and/or CISO before they are implemented. Tailoring decisions, and associated rationale must be recorded in the system security plan (SSP). Any tailored-out security controls should be removed from the 800-53 security controls main tab of the SSP while compensating and/or supplementing controls should be added. NIST Special Publications require security control tailoring to be defensible based on mission/business needs, operational environment and risk.

CSO-PROS-7002 Page 3 During the systems/subsystems initial authorization effort or periodic control testing, the independent assessor will review and analyze the tailored baseline for validity and ensure that the security of the system/subsystem is stable and appropriate.

Common Controls In accordance with the first step in the tailoring process, Appendix A: Control Tailoring Worksheet, lists the common controls that can be tailored out of the initial baseline.

Privacy Controls The privacy controls listed in Appendix A: Control Tailoring Worksheet, can be tailored out if the NRC system/subsystem meets the following criteria:

If the approved Security Categorization and the Privacy Threshold Analysis (PTA) signed by the NRC Privacy Officer state that the NRC system/subsystem does not process, store or transmit privacy data, then privacy controls can be tailored out, with the exception of the AR-2 security control (800-53 Rev 4), Privacy Impact and Risk Assessment.

NOTE: Once 800-53 Rev 5 final is released, the related control will be RA-8, Privacy Impact Assessments. RA-8 must be documented in the SSP and cannot be tailored out.

Physical and Environmental Controls The physical and environmental controls listed in Appendix A: Control Tailoring Worksheet, can be tailored out if the NRC system/subsystem meets the following criteria:

The PE controls identified in the spreadsheet below can be tailored out of the baseline if the system/subsystem is hosted in an NRC facility with guards, guns and gates.

Controls deemed as Not Applicable Controls in the initial CIA evaluated baseline where operational or environmental factors are absent (not applicable to the system/subsystem) can be tailored out and a justification provided in the tailoring worksheet (i.e., SC-19, VoIP. where the system does not provide this technology).

Controls Provided by the Cloud Service Provider Controls in the initial baseline of a cloud-based system/subsystem that are fully provided by the Cloud Service Provider can be tailored out.

Compensating and or Supplementing Baselines Supporting rationale for applying compensating controls and/or supplementing baselines must be provided to explain how these controls provide equivalent security capabilities for the system/subsystem.

- - Please note: If and NRC information system has any implementation responsibility, the control cannot be tailored out.

CSO-PROS-7002 Page 4 4 SUBMITTAL-APPROVAL PROCESS For internal NRC systems/subsystems that are not public facing, CSO-TEMP-2007, Tailored Baseline Request Email Template, along with the Control Tailoring Worksheet provided in the template, must be completed and submitted to the CISO@nrc.gov for approval. The approver reserves the right to approve the tailoring across the enterprise.

For systems that are public facing or have a public facing component, CSO-TEMP-2007, Tailored Baseline Request Email Template, along with the Control Tailoring Worksheet provided in the template, must be submitted to the Authorizing Official (AO) for approval.

CSO-PROS-7002 Page 5 APPENDIX A CONTROL TAILORING WORKSHEET Control Family Control Control Name Control Type Description Rationale for Tailoring Common Controls - The following common controls can be tailored out of the system baseline.

AR AR-1 Governance and Privacy Program Common-Privacy control

AR AR-5 Privacy Awareness and Training Common-Privacy control

AR AR-6 Privacy Reporting Common-Privacy control

AT AT-2 (2)

Security Awareness l Insider Threat Common

CA CA-2(2)

Security Assessments l Specialized Assessments Common

CA CA-8 Penetration Testing Common

DI DI-2 Data Integrity and Data Integrity Board Common-Privacy control

DI DI-2(1)

Data Integrity and Data Integrity Board l Publish Agreements on Website Common-Privacy control

IR IR-6(1)

Incident Reporting l Automated Reporting Common

CSO-PROS-7002 Page 6 Control Family Control Control Name Control Type Description Rationale for Tailoring IR IR-7 Incident Response Assistance Common

IR IR-7(1)

Incident Response Assistance l Automation Support For Availability Of Information / Support Common

PM PM-1 Information Security Program Plan Common-Program Management Control

PM PM-2 Senior Information Security Officer Common-Program Management Control

PM PM-3 Information Security Resources Common-Program Management Control

PM PM-4 Plan of Action and Milestone Process Common-Program Management Control

PM PM-7 Enterprise Architecture Common-Program Management Control

PM PM-9 Risk Management Strategy Common-Program Management Control

PM PM-10 Security Authorization Process Common-Program Management Control

PM PM-11 Mission/Business Process Definition Common-Program Management Control

PM PM-12 Insider Threat Program Common-Program Management Control

PM PM-13 Information Security Workforce Common-Program Management Control

PM PM-14 Testing, Training, and Monitoring Common-Program Management Control

CSO-PROS-7002 Page 7 Control Family Control Control Name Control Type Description Rationale for Tailoring PM PM-15 Contacts with Security Groups and Associations Common-Program Management Control

PM PM-16 Threat Awareness Program Common-Program Management Control

PS PS-1 Personnel Security Policy and Procedures Common

PS PS-2 Position Risk Designation Common

PS PS-4(2)

Personnel Termination l Automated Notification Common

PS PS-7 Third-Party Personnel Security Common

PS PS-8 Personnel Sanctions Common

SA SA-2 Allocation of Resources Common

SA SA-4 Acquisition Process Common

SE SE-2 Privacy Incident Response Common-Privacy control

SI SI-5(1)

Security Alerts, Advisories, and Directives l Automated Alerts and Advisories Common

TR TR-2(1)

System of Records Notices and Privacy Act Statement l Public Website Publication Common-Privacy control

TR TR-3 Dissemination of Privacy Program Information Common-Privacy control

CSO-PROS-7002 Page 8 Control Family Control Control Name Control Type Description Rationale for Tailoring Privacy Controls - If the system Security Categorization Report and the signed Privacy Threshold Analysis state that the NRC system/subsystem does not process, store, or transmit privacy data, then the following privacy controls can be tailored out.

AP AP-1 Authority to Collect Hybrid-Privacy Control

AP AP-2 Purpose Specification Hybrid-Privacy Control

AR AR-3 Privacy Requirements for Contractors and Service Providers Hybrid-Privacy Control

AR AR-4 Privacy Monitoring and Auditing Hybrid-Privacy Control

AR AR-7 Privacy Enhanced System Design and Development System Specific-Privacy Control

AR AR-8 Accounting of Disclosures Hybrid-Privacy Control

DI DI-1 Data Quality System Specific-Privacy Control

DI DI-1(1)

Data Quality l Validate PII System Specific-Privacy Control

DI DI-1(2)

Data Quality l Re-Validate PII System Specific-Privacy Control

DM DM-1 Minimization of Personally Identifiable Information Hybrid-Privacy Control

DM DM-1(1)

Minimization of Personally Identifiable Information l Locate /

Remove / Redact / Anonymize PII System Specific-Privacy Control

DM DM-2 Data Retention and Disposal Hybrid-Privacy Control

CSO-PROS-7002 Page 9 Control Family Control Control Name Control Type Description Rationale for Tailoring DM DM-2(1)

Data Retention and Disposal l System Configuration System Specific-Privacy Control

DM DM-3 Minimization of PII Used in Testing, Training, and Research System Specific-Privacy Control

DM DM-3(1)

Minimization of PII Used in Testing, Training, and Research l Risk Minimization Techniques System Specific-Privacy Control

IP IP-1 Consent System Specific-Privacy Control

IP IP-1(1)

Consent l Mechanisms Supporting Itemized or Tiered Consent System Specific-Privacy Control

IP IP-2 Individual Access Hybrid-Privacy Control

IP IP-3 Redress System Specific-Privacy Control

IP IP-4 Complaint Management Hybrid-Privacy Control

IP IP-4(1)

Complaint Management l Response Times Hybrid-Privacy Control

SE SE-1 Inventory of Personally Identifiable Information Hybrid-Privacy Control

TR TR-1 Privacy Notice Hybrid-Privacy Control

TR TR-1(1)

Privacy Notice l Real-Time or Layered Notice System Specific-Privacy Control

TR TR-2 System of Records Notices and Privacy Act Statements Hybrid-Privacy Control

CSO-PROS-7002 Page 10 Control Family Control Control Name Control Type Description Rationale for Tailoring UL UL-1 Internal Use Hybrid-Privacy Control

UL UL-2 Information Sharing with Third Parties Hybrid-Privacy Control

Physical Controls - The following physical controls can be tailored out of the baseline if the system is hosted in an NRC facility with guards, guns and gates.

PE PE-3 Physical Access Control Hybrid

PE PE-3(1)

Physical Access Control l Information System Access Hybrid

PE PE-4 Access Control for Transmission Medium Hybrid

PE PE-5 Access Control for Output Devices Hybrid

PE PE-6 Monitoring Physical Access Hybrid

PE PE-6(1)

Monitoring Physical Access l Intrusion Alarms / Surveillance Equipment Hybrid

PE PE-6(4)

Monitoring Physical Access l Monitoring Physical Access to Information Systems Hybrid

PE PE-8 Visitor Access Records Hybrid

PE PE-8(1)

Visitor Access Records l Automated Records Maintenance /

Review Hybrid

CSO-PROS-7002 Page 11 Control Family Control Control Name Control Type Description Rationale for Tailoring PE PE-9 Power Equipment and Cabling Hybrid

PE PE-10 Emergency Shutoff Hybrid

PE PE-11 Emergency Power Hybrid

PE PE-11(1)

Emergency Power l Long-Term Alternate Power Supply - Minimal Operational Capability Hybrid

PE PE-12 Emergency Lighting Hybrid

PE PE-13 Fire Protection Hybrid

PE PE-13(1)

Fire Protection l Detection Devices

/ Systems Hybrid

PE PE-13(2)

Fire Protection l Suppression Devices / Systems Hybrid

PE PE-13(3)

Fire Protection l Automatic Fire Suppression Hybrid

PE PE-14 Temperature and Humidity Controls Hybrid

PE PE-15 Water Damage Protection Hybrid

PE PE-15(1)

Water Damage Protection l Automation Support Hybrid

Not Applicable Controls - The following controls are not applicable to the system.

CSO-PROS-7002 Page 12 Control Family Control Control Name Control Type Description Rationale for Tailoring

Controls provided by the Cloud Service Provider

CSO-PROS-7002 Page 13 CSO-PROS-7002 Change History Date Version Description of Changes Method Used to Announce &

Distribute Training June 10, 2021 Annual review and no update was needed. Therefore, a version number changes was not necessary.

CSO website As needed March 11, 2021 1.1 Updated to include controls that are not applicable. Updated to include controls that are provided by the Cloud Service Provider CSO website As needed November 1,2020 1.0 Initial Issuance CSO website As needed

CSO-PROS-7002_Security_Control_Tailoring_Process
Person / Time
ML22080A052
Issue date:	11/01/2020
From:	Jonathan Feibus NRC/OCIO
To:
Shared Package
ML22077A369	List: ML22077A390 ML22077A396 ML22077A398 ML22077A405 ML22080A023 ML22080A024 ML22080A025 ML22080A029 ML22080A035 ML22080A038 ML22080A040 ML22080A042 ML22080A044 ML22080A046 ML22080A052 ML22080A055 ML22080A060 ML22080A061
References
CSO-PROS-7002
Download: ML22080A052 (15)
v • d • e

ML22080A052

Text

Title:

Navigation menu

Search