CHAPTER THREE, THE CONTROLS - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki
CHAPTER THRE
SECURITY AND PRIVACY CONTROLS AND CONTROL ENHANCEMENTS
This catalog of security and privacy controls provides protective measures for systems, organizations, and individuals.33 The controls are designed to facilitate risk management and compliance with applicable federal laws, executive orders, directives, regulations, policies, and standards. With few exceptions, the security and privacy controls in the catalog are policy-, technology-, and sector-neutral, meaning that the controls focus on the fundamental measures necessary to protect information and the privacy of individuals across the information life cycle. While the security and privacy controls are largely policy-, technology-, and sector-neutral, that does not imply that the controls are policy-, technology-, and sector-unaware. Understanding policies, technologies, and sectors is necessary so that the controls are relevant when they are implemented. Employing a policy-, technology-, and sector-neutral control catalog has many benefits. It encourages organizations to:
- Focus on the security and privacy functions and capabilities required for mission and business success and the protection of information and the privacy of individuals, irrespective of the technologies that are employed in organizational systems;
- Analyze each security and privacy control for its applicability to specific technologies, environments of operation, mission and business functions, and communities of interest; and
- Specify security and privacy policies as part of the tailoring process for controls that have variable parameters.
In the few cases where specific technologies are referenced in controls, organizations are cautioned that the need to manage security and privacy risks may go beyond the requirements in a single control associated with a technology. The additional needed protection measures are obtained from the other controls in the catalog. Federal Information Processing Standards, Special Publications, and Interagency/Internal Reports provide guidance on selecting security and privacy controls that reduce risk for specific technologies and sector-specific applications, including smart grid, cloud, healthcare, mobile, industrial control systems, and Internet of Things (IoT) devices.34 NIST publications are cited as references as applicable to specific controls in Sections 3.1 through 3.20.
Security and privacy controls in the catalog are expected to change over time as controls are withdrawn, revised, and added. To maintain stability in security and privacy plans, controls are not renumbered each time a control is withdrawn. Rather, notations of the controls that have been withdrawn are maintained in the control catalog for historical purposes. Controls may be withdrawn for a variety of reasons, including when the function or capability provided by the control has been incorporated into another control, the control is redundant to an existing control, or the control is deemed to be no longer necessary or effective.
33 The controls in this publication are available online and can be obtained in various formats. See [NVD 800-53].
34 For example, [SP 800-82] provides guidance on risk management and control selection for industrial control systems.
New controls are developed on a regular basis using threat and vulnerability information and information on the tactics, techniques, and procedures used by adversaries. In addition, new controls are developed based on a better understanding of how to mitigate information security risks to systems and organizations and risks to the privacy of individuals arising from information processing. Finally, new controls are developed based on new or changing requirements in laws, executive orders, regulations, policies, standards, or guidelines. Proposed modifications to the controls are carefully analyzed during each revision cycle, considering the need for stability of controls and the need to be responsive to changing technologies, threats, vulnerabilities, types of attack, and processing methods. The objective is to adjust the level of information security and privacy over time to meet the needs of organizations and individuals.