Lubell, J.
(2021),
The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer, Proceedings of Balisage: The Markup Conference, Washington, DC, US, [online], https://doi.org/10.4242/BalisageVol26.Lubell01, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=932872
(Accessed October 8, 2025)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer
Published
Author(s)
Abstract
Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams intended to clarify the specification. What happens when a tool developer interprets those clarifying features as implying a different model than the normative prose intends? What does this say about relying on derived data models in the tools that support the specification? A cautionary tale involving the security control baselines from the National Institute of Standards and Technology Special Publication 800-53 provides some answers — and insights.Proceedings Title
Proceedings of Balisage: The Markup Conference
Volume
26
Conference Dates
August 2-6, 2021
Conference Location
Washington, DC, US
Conference Title
Balisage: The Markup Conference
Pub Type
Conferences
Download Paper
Keywords
security control, SP 800-53, baseline, tailoring, Open Security Controls Assessment Language, Baseline Tailor
Citation
Issues
If you have any questions about this publication or are having problems accessing it, please contact [email protected].
Created August 24, 2021, Updated November 29, 2022