Special Publication 800-53, Revision 2 Recommended Security Controls for Federal Information Systems
________________________________________________________________________________________________
assessment results are shared with the appropriate information system owners to better support
the security accreditation process.
Partitioning security controls into common controls and system-specific controls can result in
significant savings to the organization in development and implementation costs especially when
the common controls serve multiple information systems and entities. It can also result in a more
consistent application of the security controls across the organization at large. Moreover, equally
significant savings can be realized in the security certification and accreditation process. Rather
than assessing common security controls in every information system, the certification process
draws upon any applicable results from the most current assessment of the common security
controls performed at the organization level. An organization-wide approach to reuse and sharing
of assessment results can greatly enhance the efficiency of the security certifications and
accreditations being conducted by organizations and significantly reduce security program costs.
While the concept of security control partitioning into common security controls and system-
specific controls is straightforward and intuitive, the application of this principle within an
organization takes planning, coordination, and perseverance. If an organization is just beginning
to implement this approach or has only partially implemented this approach, it may take some
time to get the maximum benefits from security control partitioning and the associated reuse of
assessment evidence. Because of the potential dependence on common security controls by many
of an organization’s information systems, a failure of such common controls may result in a
significant increase in agency-level risk—risk that arises from the operation of the systems that
depend on these controls.
The FIPS 199 security categorization process and the selection of common security controls are closely
related activities that are most effectively accomplished on an organization-wide basis with the
involvement of the organization’s senior leadership (i.e., authorizing officials, chief information officer,
senior agency information security officer, information system owners, and mission/information owners).
These individuals have the collective corporate knowledge to understand the organization’s priorities, the
importance of the organization’s operations (including mission, functions, image, and reputation) and
assets, and the relative importance of the organizational information systems that support those
operations and assets. The organization’s senior leaders are also in the best position to select the
common security controls for each of the security control baselines and assign organizational
responsibilities for developing, implementing, and assessing those controls.
Implementation Tip
2.4 SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS
Organizations are becoming increasingly reliant on information system services provided by
external service providers to carry out important missions and functions. External information
system services are services that are implemented outside of the system’s accreditation boundary
(i.e., services that are used by, but not a part of, the organizational information system).
Relationships with external service providers are established in a variety of ways, for example,
through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts,
interagency agreements, lines of business
23
arrangements), licensing agreements, and/or supply
23
In March 2004, OMB initiated a governmentwide analysis of selected lines of business supporting the President's
Management Agenda goal to expand Electronic Government. Interagency task forces examined business and
information technology data and best practices for each line of business—Case Management, Financial Management,
Grants Management, Human Resources Management, Federal Health Architecture, Information Systems Security,
Budget Formulation and Execution, Geospatial, and IT Infrastructure. The goal of the effort is to identify opportunities
to reduce the cost of government and improve services to citizens through business performance improvements.
CHAPTER 2 PAGE 11