Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Selecting Security and Privacy Controls: Choosing the Right Approach

Blog Image: Selecting Controls Image

Recently, NIST published a significant update to its flagship security and privacy controls catalog, Special Publication 800-53, Revision 5. This update created a set of next generation controls to help protect organizations, assets, and the privacy of individuals—and equally important—manage cybersecurity and privacy risks. So now that the publication is here, how should you use this extensive catalog of controls that covers everything from multifactor authentication to incident response? How do you select the right controls for your organization and the associated security and privacy programs that support the organization? How do you know when you have an adequate level of protection? How do you effectively manage security and privacy risks?

To answer those questions, it always helps to select your controls with the help of a risk management framework or a life cycle-based systems engineering process. Both provide disciplined and structured approaches for defining security and privacy requirements in the context of organizational missions and business functions and for achieving risk-based solutions that satisfy those requirements. In this article, we will be focusing on the NIST Risk Management Framework (RMF) and the different approaches organizations can use to effectively select their security and privacy controls from the control catalog.

With the major update to the RMF (Special Publication 800-37, Revision 2) in 2018, NIST defined two distinct approaches that can be used for the selection of controls:

  • A baseline control selection approach, and
  • An organization-generated control selection approach.

The baseline control selection approach uses control baselines, which are pre-defined sets of controls assembled to address the protection needs of a group, organization, or community of interest. Security and privacy control baselines serve as a starting point for the protection of information, information systems, and individuals’ privacy. Federal security and privacy control baselines are defined in draft NIST Special Publication 800-53B. The three security control baselines contain sets of security controls and control enhancements that offer protection for information and information systems that have been categorized as low-impact, moderate-impact, or high-impact—that is, the potential adverse consequences on the organization’s missions or business operations or a loss of assets if there is a breach or compromise to the system. The system security categorization, risk assessment, and security requirements derived from stakeholder protection needs, laws, executive orders, regulations, policies, directives, and standards can help guide and inform the selection of security control baselines from draft Special Publication 800-53B.

The privacy control baseline is based on a mapping of the controls and control enhancements in Special Publication 800-53, Revision 5 to the privacy program responsibilities under the Office of Management and Budget (OMB) Circular A-130. After the pre-defined security and privacy control baselines are selected, organizations can tailor the baselines in accordance with the guidance provided in draft Special Publication 800-53B. A privacy risk assessment and privacy requirements derived from stakeholder protection needs, laws, executive orders, regulations, policies, directives, and standards can also help guide and inform the tailoring of the privacy controls. The baseline control selection approach can provide consistency across broad and diverse communities of interest (e.g. federal agencies, healthcare sector, financial services sector, cloud service providers).

The organization-generated control selection approach differs from the baseline selection approach because the organization does not start with a pre-defined set of controls. Rather, the organization uses its own process to select controls. This may be necessary when the system is highly specialized (e.g., a weapons system or a medical device), has a limited purpose or scope (e.g., a smart meter), requires protection from a specific set of threats, or the nature of the data processing poses specific types of privacy risks. In these situations, it may be more efficient and cost-effective for an organization to select the controls for the system instead of starting with a pre-defined set of controls from a control baseline and adding or eliminating controls through the tailoring process. As in the baseline control selection approach, the selection of specific controls in the organization-generated selection approach can be guided and informed by the system security categorization, risk assessment, and requirements derived from stakeholder protection needs, laws, executive orders, regulations, policies, directives, and standards.

Organizations do not need to choose a single control selection approach, but instead, can choose the appropriate approach as circumstances dictate. This flexibility is needed to effectively manage security and privacy risks and to ensure that organizations are doing their security and privacy due diligence. After employing either control selection approach, the security and privacy controls are documented in the system security and privacy plans in preparation for control implementation, assessment, and continuous monitoring.

About the author

Ron Ross

Ron Ross is a computer scientist and Fellow at the National Institute of Standards and Technology. He specializes in cybersecurity, risk management, and systems security engineering.  Ron is a retired Army officer who, when not defending cyberspace, follows his passion for NASCAR and takes care of his adopted rescue dog, Sophie.

Victoria Yan Pillitteri

Victoria Yan Pillitteri is a supervisory computer scientist at the National Institute of Standards and Technology. She leads the Federal Information Security Modernization Act (FISMA) Team that develops the suite of risk management guidance used for managing information security risk in the federal government. Outside of work, she enjoys teaching group exercise classes, baking, and traveling.

Naomi Lefkovitz

Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. Her portfolio includes work on the National Strategy for Trusted Identities in Cyberspace (NSTIC), privacy engineering, privacy-enhancing technologies, cybersecurity and standards development.

FierceGovernmentIT named Ms. Lefkovitz on their 2013 “Fierce15” list of the most forward-thinking people working within government information technology, and she is a 2014 Federal 100 Awards winner.

Before joining NIST, she was the Director for Privacy and Civil Liberties in the Cybersecurity Directorate of the National Security Staff in the Executive Office of the President. Her portfolio included the NSTIC as well as addressing the privacy and civil liberties impact of the Obama Administration’s cybersecurity initiatives and programs.

Prior to her tenure at the White House, Ms. Lefkovitz was a senior attorney with the Division of Privacy and Identity Protection at the Federal Trade Commission. Her responsibilities focused primarily on policy matters, including legislation, rulemakings, and business and consumer education in the areas of identity theft, data security and privacy.

At the outset of her career, she was Assistant General Counsel at CDnow, Inc., an early online music retailer.

Ms. Lefkovitz holds a B.A. with honors in French Literature from Bryn Mawr College and a J.D. with honors from Temple University School of Law.

Comments

Love the guidance here! Thanks for sharing!

Well done! Thanks for the "full-circle" support...

Nice summary of the different approaches to select Security and Privacy controls. Well done!

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.