Audit and Assurance

Expand all | Collapse all

NIST 800-53 control baselines

  • 1.  NIST 800-53 control baselines

    Posted 15 Aug, 2019 12:12
    ​Hello - I'm trying to understand the baseline control recommendations in NIST 800-53. I'm specifically looking at the moderate level.

    My question is: when only the high-level control is listed (AC-3, IA-6, SA-2, etc.), does that mean the sub-controls are not included in the baseline? For example, only AC-3, access enforcement, is listed in the moderate column. It does not include any of the 10 subcontrols (AC3 (1-10)). Does that mean only AC-1 applies to moderate category?

    I understand the idea is to tailor and customize the controls based on organizational needs and risk, but I first want to understand the fundamentals of the document.

    Thank you.


    ------------------------------
    Richard Infusino
    IT Auditor
    ------------------------------


  • 2.  RE: NIST 800-53 control baselines

    Posted 15 Aug, 2019 13:37
    I found the answer to my question. In 800-53r4, appendix D, it states "Some security controls and enhancements are not used in any of the baselines in this appendix but are available for use by organizations if needed."​ That tells me 'no', the enhancements do not apply unless the risk assessment or needs of the organization determine otherwise.

    ------------------------------
    Richard Infusino
    IT Auditor
    ------------------------------



  • 3.  RE: NIST 800-53 control baselines

    Posted 25 Aug, 2019 11:40
    I have learned that too now thanks for sharing!

    ------------------------------
    Ngoran Allangba
    C&A Analyst
    ------------------------------