NIST SP800-53-r2：联邦信息系统推荐安全控制指南

需积分: 10 169 浏览量更新于2024-07-16 收藏 1.42MB PDF 举报

NIST SP800-53（修订版2）是美国国家标准与技术研究所（NIST）发布的一份重要文档，它提供了针对联邦信息安全系统的推荐安全控制措施。这份特别出版物针对组织在保护其信息和信息系统时应考虑的关键问题进行了深入探讨，包括对信息系统的有效保护、所选安全控制措施的实施计划以及所需的安全保障水平。首要任务是确定为了支持组织运营和资产，以及实现其使命所需的适当安全控制。这涉及到保护信息系统的机密性、完整性和可用性。组织管理层需回答一系列关于信息安全的问题，例如： 1. 如何选择并实施足以保护组织关键业务系统和资产的安全控制措施，同时确保法律义务的履行、日常功能的维持和个人隐私的保护？ 2. 所选的安全控制是否已经到位，或者有一个现实可行的实施计划？ 3. 对于实施的安全控制，组织希望或要求达到什么样的信心保障（即有效性），以证明这些控制措施在实际应用中的有效性？ NIST SP800-53的推荐旨在与一个有效的信息安全程序相结合，该程序包括定期的风险评估，分析未经授权访问、使用、泄露、干扰、修改或破坏信息及信息系统可能带来的潜在危害。此外，信息安全政策和程序应基于风险评估结果，以成本效益的方式将风险降低到可接受的水平，并覆盖组织信息系统的全生命周期。该特别出版物还强调了技术领导力的重要性，由NIST的计算机安全分部（Computer Security Division, CSD）和信息技术实验室（Information Technology Laboratory, ITL）共同制定，以促进美国经济和公共福利。NIST通过测试、测试方法、参考数据、概念验证实施和技术分析，推动国家测量和标准基础设施的发展，为信息安全提供技术指导。 NIST SP800-53修订版2为联邦机构提供了一套全面的框架，帮助他们构建和管理信息安全策略，确保敏感信息的安全，同时适应不断变化的威胁环境。通过遵循这份指南，组织可以更好地保护其关键信息资产，提升整体的信息安全保障水平。

Special Publication 800-53, Revision 2 Recommended Security Controls for Federal Information Systems

________________________________________________________________________________________________

Selection statements also narrow the potential input values by providing a specific list of items

from which the organization must choose.

The supplemental guidance section provides additional information related to a specific security

control. Organizations are expected to apply the supplemental guidance as appropriate, when

defining, developing, and implementing security controls. In certain instances, the supplemental

guidance provides more detail concerning the control requirements or important considerations

(and the needed flexibility) for implementing security controls in the context of an organization’s

operational environment, specific mission requirements, or assessment of risk. In addition,

applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance

documents (e.g., OMB Circulars, FIPS, and NIST Special Publications) are listed in the

supplemental guidance section, when appropriate, for the particular security control.

The control enhancements section provides statements of security capability to: (i) build in

additional, but related, functionality to a basic control; and/or (ii) increase the strength of a basic

control. In both cases, the control enhancements are used in an information system requiring

greater protection due to the potential impact of loss or when organizations seek additions to a

basic control’s functionality based on the results of a risk assessment. Control enhancements are

numbered sequentially within each control so that the enhancements can be easily identified when

selected to supplement the basic control. In the example above, if all three control enhancements

are selected, the control designation subsequently becomes AU-2 (1) (2) (3). The numerical

designation of a security control enhancement is used only to identify a particular enhancement

within the control structure. The designation is neither indicative of the relative strength of the

control enhancement nor assumes any hierarchical relationship among enhancements. In the

above example, enhancement (3) is used before (1) and (2) since that enhancement is appropriate

at a lower level than the other two. This type of situation arises from the decision to enhance

control stability in the face of change by not renumbering existing enhancements when new ones

are added or when decisions about placement within baselines change.

2.2 SECURITY CONTROL BASELINES

Organizations are required to employ security controls to meet security requirements defined by

applicable laws, Executive Orders, directives, policies, standards, or regulations (e.g., Federal

Information Security Management Act, OMB Circular A-130, Appendix III). The challenge for

organizations is to determine the appropriate set of security controls, which if implemented and

determined to be effective in their application, would most cost-effectively comply with the stated

security requirements.

Selecting the appropriate set of security controls to meet the specific,

and sometimes unique, security requirements of an organization is an important task—a task that

demonstrates the organization’s commitment to security and the due diligence exercised in

protecting the confidentiality, integrity, and availability of their information and information

systems.

To assist organizations in making the appropriate selection of security controls for their

information systems, the concept of baseline controls is introduced. Baseline controls are the

minimum security controls recommended for an information system based on the system’s

An information system may require security controls at different layers within the system. For example, an operating

system or network component typically provides an identification and authentication capability. An application may

also provide its own identification and authentication capability rendering an additional level of protection for the

overall information system. The selection and specification of security controls should consider components at all

layers within the information system as part of effective security and privacy architectures.

CHAPTER 2 PAGE 8

Special Publication 800-53, Revision 2 Recommended Security Controls for Federal Information Systems

________________________________________________________________________________________________

security categorization in accordance with FIPS 199.

The tailored security control baseline

(i.e., the appropriate control baseline from Appendix D tailored in accordance with the guidanc

in Section 3.3) serves as the starting point for organizations in determining the appropriat

safeguards and countermeasures necessary to protect their information systems. Because the

baselines are intended to be broadly applicable starting points, supplements to the tailored

baselines (see Section 3.4) will likely be necessary in order to achieve adequate risk mitigation.

The tailored baselines are supplemented based on organizational assessments of risk and the

resulting controls documented in the security plans for the information systems.

Appendix D provides a listing of baseline security controls. Three sets of baseline controls have

been identified corresponding to the low-impact, moderate-impact, and high-impact levels

defined in the security categorization process in FIPS 199 and derived in Section 3.2. Each of the

three baselines provides an initial set of security controls for a particular impact level associated

with a security category.

Appendix F provides the complete catalog of security controls for

information systems, arranged by control families. The catalog represents the entire set of

security controls defined at this time. Chapter 3 provides additional information on how to use

security categories to select the appropriate set of baseline security controls, how to apply the

tailoring guidance to the baseline controls, and how to supplement the tailored baseline in order to

achieve adequate risk mitigation.

Implementation Tip

Since the baseline security controls represent the minimum controls for low-impact, moderate-impact,

and high-impact information systems, respectively, there are additional controls and control

enhancements that appear in the catalog that are found in only higher-impact baselines or not used in

any of the baselines. These additional security controls and control enhancements for the information

system are available to organizations and can be used in supplementing the tailored baselines to

achieve the needed level of protection in accordance with an organizational assessment of risk.

Moreover, security controls and control enhancements contained in higher-level baselines can also be

used by organizations to strengthen the level of protection provided in lower-level baselines, if deemed

appropriate. At the end of the security control selection and specification process, the agreed-upon set

of security controls documented in the security plan, must be sufficient to provide adequate security for

the organization and mitigate risks to its operations, assets, and individuals.

2.3 COMMON SECURITY CONTROLS

An organization-wide view of an information security program facilitates the identification of

common security controls that can be applied to one or more organizational information systems.

Common security controls can apply to: (i) all organizational information systems; (ii) a group of

information systems at a specific site; or (iii) common information systems, subsystems, or

applications (i.e., common hardware, software, and/or firmware) deployed at multiple operational

sites. Common security controls have the following properties:

FIPS 199 security categories are based on the potential impact on an organization or individuals should certain events

occur which jeopardize the information and information systems needed by the organization to accomplish its assigned

mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.

The baseline security controls contained in Appendix D are not necessarily absolutes in that the tailoring guidance

described in Section 3.3 provides the organization the ability to eliminate certain controls or specify compensating

controls under strict terms and conditions.

CHAPTER 2 PAGE 9

Special Publication 800-53, Revision 2 Recommended Security Controls for Federal Information Systems

________________________________________________________________________________________________

• The development, implementation, and assessment of common security controls can be

assigned to responsible organizational officials or organizational elements (other than the

information system owners whose systems will implement or use the common security

controls); and

• The results from the assessment of the common security controls can be used to support the

security certification and accreditation processes of organizational information systems where

the controls have been applied.

The identification of common security controls is most effectively accomplished as an

organization-wide exercise with the involvement of the chief information officer, senior agency

information security officer, authorizing officials, information system owners/program managers,

information owners, and information system security officers. The organization-wide exercise

considers the categories of information systems within the organization in accordance with FIPS

199 (i.e., low-impact, moderate-impact, or high-impact information systems) and the minimum

security controls necessary to protect the operations and assets supported by those systems (see

baseline security controls in Section 2.2). For example, common security controls can be

identified for all low-impact information systems by considering the baseline security controls for

that category of information system. Similar exercises can be conducted for moderate-impact and

high-impact systems as well.

Many of the security controls needed to protect an information system (e.g., contingency planning

controls, incident response controls, security training and awareness controls, personnel security

controls, physical and environmental protection controls, and intrusion detection controls) may be

excellent candidates for common security control status. By centrally managing the development,

implementation, and assessment of the common security controls designated by the organization,

security costs can be amortized across multiple information systems. Security controls not

designated as common controls are considered system-specific controls and are the responsibility

of the information system owner. Security plans for individual information systems should

clearly identify which security controls have been designated by the organization as common

security controls and which controls have been designated as system-specific controls.

Organizations may also assign a hybrid status to security controls in situations where one part of

the control is deemed to be common, while another part of the control is deemed to be system-

specific. For example, an organization may view the

IR-1 (Incident Response Policy and

Procedures) security control as a hybrid control with the policy portion of the control deemed to

be common and the procedures portion of the control deemed to be system-specific. Hybrid

controls may also serve as templates for further control refinement. An organization may choose,

for example, to implement the CP-2 (Contingency Planning) security control as a master template

for a generalized contingency plan for all organizational information systems with individual

information system owners tailoring the plan, where appropriate, for system-specific issues.

Information system owners are responsible for any system-specific issues associated with the

implementation of an organization’s common security controls. These issues are identified and

described in the system security plans for the individual information systems. The senior agency

information security officer, acting on behalf of the chief information officer, should coordinate

with organizational officials (e.g., facilities managers, site managers, personnel managers)

responsible for the development and implementation of the designated common security controls

to ensure that the required controls are put into place, the controls are assessed, and the

NIST Special Publication 800-37 provides guidance on security certification and accreditation of information

systems.

CHAPTER 2 PAGE 10

Special Publication 800-53, Revision 2 Recommended Security Controls for Federal Information Systems

________________________________________________________________________________________________

assessment results are shared with the appropriate information system owners to better support

the security accreditation process.

Partitioning security controls into common controls and system-specific controls can result in

significant savings to the organization in development and implementation costs especially when

the common controls serve multiple information systems and entities. It can also result in a more

consistent application of the security controls across the organization at large. Moreover, equally

significant savings can be realized in the security certification and accreditation process. Rather

than assessing common security controls in every information system, the certification process

draws upon any applicable results from the most current assessment of the common security

controls performed at the organization level. An organization-wide approach to reuse and sharing

of assessment results can greatly enhance the efficiency of the security certifications and

accreditations being conducted by organizations and significantly reduce security program costs.

While the concept of security control partitioning into common security controls and system-

specific controls is straightforward and intuitive, the application of this principle within an

organization takes planning, coordination, and perseverance. If an organization is just beginning

to implement this approach or has only partially implemented this approach, it may take some

time to get the maximum benefits from security control partitioning and the associated reuse of

assessment evidence. Because of the potential dependence on common security controls by many

of an organization’s information systems, a failure of such common controls may result in a

significant increase in agency-level risk—risk that arises from the operation of the systems that

depend on these controls.

The FIPS 199 security categorization process and the selection of common security controls are closely

related activities that are most effectively accomplished on an organization-wide basis with the

involvement of the organization’s senior leadership (i.e., authorizing officials, chief information officer,

senior agency information security officer, information system owners, and mission/information owners).

These individuals have the collective corporate knowledge to understand the organization’s priorities, the

importance of the organization’s operations (including mission, functions, image, and reputation) and

assets, and the relative importance of the organizational information systems that support those

operations and assets. The organization’s senior leaders are also in the best position to select the

common security controls for each of the security control baselines and assign organizational

responsibilities for developing, implementing, and assessing those controls.

Implementation Tip

2.4 SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS

Organizations are becoming increasingly reliant on information system services provided by

external service providers to carry out important missions and functions. External information

system services are services that are implemented outside of the system’s accreditation boundary

(i.e., services that are used by, but not a part of, the organizational information system).

Relationships with external service providers are established in a variety of ways, for example,

through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts,

interagency agreements, lines of business

arrangements), licensing agreements, and/or supply

In March 2004, OMB initiated a governmentwide analysis of selected lines of business supporting the President's

Management Agenda goal to expand Electronic Government. Interagency task forces examined business and

information technology data and best practices for each line of business—Case Management, Financial Management,

Grants Management, Human Resources Management, Federal Health Architecture, Information Systems Security,

Budget Formulation and Execution, Geospatial, and IT Infrastructure. The goal of the effort is to identify opportunities

to reduce the cost of government and improve services to citizens through business performance improvements.

CHAPTER 2 PAGE 11

Special Publication 800-53, Revision 2 Recommended Security Controls for Federal Information Systems

________________________________________________________________________________________________

chain exchanges. The growing dependence on external service providers and new relationships

being forged with those providers present new and difficult challenges for the organization,

especially in the area of information system security. These challenges include, but are not

limited to: (i) defining the types of external services provided to the organization;

(ii) describing

how the external services are protected in accordance with the security requirements of the

organization; and (iii) obtaining the necessary assurances that the risk to the organization’s

operations and assets, and to individuals, arising from the use of the external services is at an

acceptable level.

The assurance or confidence that the risk to the organization’s operations, assets, and individuals

is at an acceptable level depends on the trust

that the authorizing official places in the external

service provider. In some cases, the level of trust is based on the amount of direct control the

authorizing official is able to exert on the external service provider with regard to the

employment of appropriate security controls necessary for the protection of the service and the

evidence brought forth as to the effectiveness of those controls. The level of control is usually

established by the terms and conditions of the contract or service-level agreement with the

external service provider and can range from extensive (e.g., negotiating a contract or agreement

that specifies detailed security control requirements for the provider

) to very limited (e.g., using

a contract or service-level agreement to obtain commodity services

such as commercial

telecommunications services). In other cases, the level of trust is derived from other factors that

convince the authorizing official that the requisite security controls have been employed and that

a credible determination of control effectiveness exists. For example, a separately accredited

external information system service provided to a federal agency through a line of business

relationship may provide a degree of trust in the external service within the tolerable risk range of

the authorizing official.

Information exchanges may be required among the many possible relationships with external service providers. The

risk of exchanging information among business partners and other external entities must be assessed and appropriate

security controls employed. There may be contract language that establishes specific requirements to protect

information exchanged and/or that specifies particular remedies for failure to protect the information as prescribed. In

addition, there may be laws or regulations that protect this information from unauthorized disclosure.

The level of trust that an organization places in an external service provider can vary widely ranging from those who

are highly trusted (e.g., business partners in a joint venture that share a common business model and common goals) to

those who are less trusted and represent greater sources of risk (e.g., business partners in one endeavor who are also

competitors in another market sector).

In reality, the provision of services by providers external to the organization may result in some services without

explicit agreements between the organization and the external entities responsible for the services. Whenever explicit

agreements are feasible and practical (e.g., through contracts, service-level agreements, etc.), the organization should

develop such agreements and require the use of the security controls in Special Publication 800-53. When the

organization is not in a position to require explicit agreements with external service providers (e.g., when the service is

imposed on the organization or when the service is commodity service), the organization should establish explicit

assumptions about the service capabilities with regard to security. Contracts between the organization and external

service providers may also require the active participation of the organization. For example, the organization may be

required by the contract to install public key encryption-enabled client software recommended by the service provider.

Normally, commercial providers of commodity-type services (e.g., telecommunications services) organize their

business models and services around the concept of shared resources and devices for a broad and diverse customer

base. Therefore, unless organizations obtain fully dedicated services from commercial service providers (including

dedicated devices and management systems), there will likely be a need for greater reliance on compensating security

controls to provide the necessary protections for the information system that relies on those external services. The

organization’s risk assessment and risk mitigation activities should reflect this situation.

CHAPTER 2 PAGE 12

剩余187页未读，继续阅读

艾米的爸爸

粉丝: 784
资源: 314

NIST SP800-53-r2：联邦信息系统推荐安全控制指南

NIST SP800-53A rev1.pdf

NIST_SP800-53

NIST SP 800-53A: 联邦信息系统中安全控制评价指南

NIST SP800-60 Vol2 Rev1.pdf

NIST SP800-60 Vol1 Rev1.pdf

NIST SP800-70-rev2.pdf

NIST SP800-85A-2-final.pdf

NIST SP800-53A.pdf

NIST SP800-53 AppendicesDEF.pdf

NIST SP800-87_Rev1-April2008Final.pdf

最新资源