Selecting Security and Privacy Controls: Choosing the Right Approach

Recently, NIST published a significant update to its flagship security and privacy controls catalog, Special Publication 800-53, Revision 5. This update created a set of next generation controls to help protect organizations, assets, and the privacy of individuals—and equally important—manage cybersecurity and privacy risks. So now that the publication is here, how should you use this extensive catalog of controls that covers everything from multifactor authentication to incident response? How do you select the right controls for your organization and the associated security and privacy programs that support the organization? How do you know when you have an adequate level of protection? How do you effectively manage security and privacy risks?

To answer those questions, it always helps to select your controls with the help of a risk management framework or a life cycle-based systems engineering process. Both provide disciplined and structured approaches for defining security and privacy requirements in the context of organizational missions and business functions and for achieving risk-based solutions that satisfy those requirements. In this article, we will be focusing on the NIST Risk Management Framework (RMF) and the different approaches organizations can use to effectively select their security and privacy controls from the control catalog.

With the major update to the RMF (Special Publication 800-37, Revision 2) in 2018, NIST defined two distinct approaches that can be used for the selection of controls:

• A baseline control selection approach, and
• An organization-generated control selection approach.

The baseline control selection approach uses control baselines, which are pre-defined sets of controls assembled to address the protection needs of a group, organization, or community of interest. Security and privacy control baselines serve as a starting point for the protection of information, information systems, and individuals’ privacy. Federal security and privacy control baselines are defined in draft NIST Special Publication 800-53B. The three security control baselines contain sets of security controls and control enhancements that offer protection for information and information systems that have been categorized as low-impact, moderate-impact, or high-impact—that is, the potential adverse consequences on the organization’s missions or business operations or a loss of assets if there is a breach or compromise to the system. The system security categorization, risk assessment, and security requirements derived from stakeholder protection needs, laws, executive orders, regulations, policies, directives, and standards can help guide and inform the selection of security control baselines from draft Special Publication 800-53B.

The privacy control baseline is based on a mapping of the controls and control enhancements in Special Publication 800-53, Revision 5 to the privacy program responsibilities under the Office of Management and Budget (OMB) Circular A-130. After the pre-defined security and privacy control baselines are selected, organizations can tailor the baselines in accordance with the guidance provided in draft Special Publication 800-53B. A privacy risk assessment and privacy requirements derived from stakeholder protection needs, laws, executive orders, regulations, policies, directives, and standards can also help guide and inform the tailoring of the privacy controls. The baseline control selection approach can provide consistency across broad and diverse communities of interest (e.g. federal agencies, healthcare sector, financial services sector, cloud service providers).

The organization-generated control selection approach differs from the baseline selection approach because the organization does not start with a pre-defined set of controls. Rather, the organization uses its own process to select controls. This may be necessary when the system is highly specialized (e.g., a weapons system or a medical device), has a limited purpose or scope (e.g., a smart meter), requires protection from a specific set of threats, or the nature of the data processing poses specific types of privacy risks. In these situations, it may be more efficient and cost-effective for an organization to select the controls for the system instead of starting with a pre-defined set of controls from a control baseline and adding or eliminating controls through the tailoring process. As in the baseline control selection approach, the selection of specific controls in the organization-generated selection approach can be guided and informed by the system security categorization, risk assessment, and requirements derived from stakeholder protection needs, laws, executive orders, regulations, policies, directives, and standards.

Organizations do not need to choose a single control selection approach, but instead, can choose the appropriate approach as circumstances dictate. This flexibility is needed to effectively manage security and privacy risks and to ensure that organizations are doing their security and privacy due diligence. After employing either control selection approach, the security and privacy controls are documented in the system security and privacy plans in preparation for control implementation, assessment, and continuous monitoring.