Date Published: February 2016
Comments Due:
Email Questions to:
Author(s)
Kelley Dempsey (NIST), Paul Eavy (DHS), George Moore (APL)
Announcement
NIST is pleased to announce the initial public draft release of NIST Internal Report (NISTIR) 8011, Automation Support for Security Control Assessments, Volumes 1 and 2. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.
NISTIR 8011 will ultimately consist of 13 volumes. Volume 1 introduces the general approach to automating security control assessments, 12 ISCM security capabilities, and terms and concepts common to all 12 capabilities. Volume 2 provides details specific to the hardware asset management security capability. The remaining 11 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volume 2.
This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed. The parts of the control assessed by each determination statement are called control items. These control items are then grouped into the appropriate security capabilities. As suggested by SP 800-53 Revision 4, security capabilities are groups of controls that support a common purpose. For effective automated assessment, testable defect checks are defined that bridge the determination statements to the broader security capabilities to be achieved and to the SP 800-53 security control items themselves. The defect checks correspond to security sub-capabilities—called sub-capabilities because each is part of a larger capability. Capabilities and sub-capabilities are both designed with the purpose of addressing a series of attack steps. Automated assessments (in the form of defect checks) are performed using the test assessment method defined in SP 800-53A by comparing a desired and actual state (or behavior).
This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed. The parts of the control assessed by each...
See full abstract
This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed. The parts of the control assessed by each determination statement are called control items. These control items are then grouped into the appropriate security capabilities. As suggested by SP 800-53 Revision 4, security capabilities are groups of controls that support a common purpose. For effective automated assessment, testable defect checks are defined that bridge the determination statements to the broader security capabilities to be achieved and to the SP 800-53 security control items themselves. The defect checks correspond to security sub-capabilities—called sub-capabilities because each is part of a larger capability. Capabilities and sub-capabilities are both designed with the purpose of addressing a series of attack steps. Automated assessments (in the form of defect checks) are performed using the test assessment method defined in SP 800-53A by comparing a desired and actual state (or behavior).
Hide full abstract
Keywords
assessment boundary; assessment method; authorization boundary; automated security control assessment; automation; capability; continuous diagnostics and mitigation; information security continuous monitoring; dashboard; defect; defect check; desired state specification; ISCM dashboard; mitigation; ongoing assessment; root cause analysis; security automation; security capability; security control; security control assessment; assessment; actual state; security control item
Control Families
Audit and Accountability; Assessment, Authorization and Monitoring; Risk Assessment