By Kathryn M. Farrish, CISSP
BAI Consulting
Under RMF, NIST SP 800-53 is the primary source for security controls. If we compare these controls to the DoDI 8500.2 IA controls used in DIACAP, several obvious differences can be seen. Most notable among these differences is the fact that many of the NIST controls are not “complete” as published, but require some “fill in the blanks”. These “blanks” are called Organization-defined Values or Organization-defined Parameters. Here is an example taken directly from NIST SP 800-53:
AU-11 Audit Record Retention
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
As you can see, this control is not truly “complete” until the required retention period is filled in.
Many other controls require two or more “Assignment” parameters to be filled in before the control can be considered “complete”.
A few controls contain a different type of organization-defined parameter called a “Selection”. In these cases, the organization is not required to “fill in the blank”, but rather to choose from a set of alternatives. For example:
AC-20 Use of External Information Systems
Enhancement (2). The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
In this case, one of the two alternatives is chosen in order to “complete” the control.
So how is a System Owner supposed to figure out what values to fill in? Like a lot of things in this business, it’s a simple question with a somewhat complicated answer.
- CNSSI 1253 contains a list of organization-defined values for some (but by no means all) of the controls. For example:
- AU-11 “A minimum of 5 years for Sensitive Compartmented Information and Sources and Methods Intelligence Information AND A minimum of 1 year for all other information (Unclassified through Collateral Top Secret)”
- DoD has indicated they plan to publish a list of organization-defined values on the RMF Knowledge Service website, however this has not been done as of the publication date of this newsletter
- DoD Components or command-level information security policies may provide additional organization-defined values. For example, component-level policies provide specific requirements for passwords, such as minimum length and complexity. These requirements enable organization-defined parameters to be filled in for controls such as IA-5
- Information security policies for individual systems may also provide organization-defined values (e.g., backup frequencies)
Any organization-defined parameters not covered by one of the above will remain at the discretion of the System Owner. It is highly recommended that the System Owner document the organization-defined values (and the rationale for their choice) in the System Security Plan.
If you would like to learn more about ITdojo’s RMF training courses, please visit the links below.
