Building A Security Control Baseline “Step-by-Step”

  1. Security Control Baseline Training

Article By Lon J. Berman, CISSP

In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve categorized our system, let’s take a look at the steps for creating a Security Control Baseline.

Step 1: Create Initial Control Set

Your System Categorization defines the initial set of Security Controls for your baseline. NIST SP 800-53 is the source of the controls themselves, but it is CNSSI 1253 that lists the controls that are applicable to your particular categorization level.

For example, suppose your system is categorized as Confidentiality-Moderate, Integrity-Moderate, Availability-Low. Using Table D-1 in CNSSI 1253, you can readily determine the controls and control enhancements that will comprise your initial control set. Each row in the table that contains an “X” or a “+” under one or more of your three categorization levels belong in your control set.

Step 2: Apply Overlays

Security Control Overlays have been developed for several “communities of interest,” including classified systems, intelligence systems, space platforms, and privacy systems. If your system meets one or more of these criteria, you’ll need to carefully read and apply each element of the overlay to your initial control baseline. Overlays typically add numerous new controls or control enhancements to the baseline, and also provide supplemental guidance for various controls.

Overlays are published on the CNSS website,

Note that if you are using an automated tool such as eMASS (Enterprise Mission Assurance Support Service), these first two steps can be accomplished by “checking the boxes” for your system categorization levels and applicable overlays.

Step 3: Apply Scoping Guidance

Once you have a control set with any applicable overlays, you are in a position to review each of the controls to see if any of them are Not Applicable to your system. For example, some of the technical controls refer to specific technologies you may not be using. Note that any control deemed Not Applicable should be accompanied by appropriate justification.

Step 4: Supplement the Control Set

Perhaps your system employs unique technologies or exists in an environment containing unique threats. In such cases, consider adding security controls to your baseline to ensure appropriate safeguards are implemented.

Fortunately, NIST SP 800-53 contains numerous Security Controls that are not in any of the “standard” baselines. Rather, they are intended for use, if needed, to address unique technologies or threats.

The ideal way to identify those areas requiring control set supplementation is to conduct an initial risk assessment of your system.

Step 5: Determine Organization-defined Values

As you examine the security controls in your nearly completed baseline, you’ll see that many of them are really not 100% complete. They are replete with “blanks” that need to be filled in with what are called “organization-defined values”. For example, security control CM-6 states:

The organization:

a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organizationdefined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

b. Implements the configuration settings;

c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization – defined information system components] based on [Assignment: organization-defined operational requirements]; and

d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

It is up to the System Owner to “fill in” each of the bracketed items with the actual values for the system.

In some cases, DoD will provide a “default” for an organization-defined value. This is often the case with numerical parameters like frequencies for review of policies and procedures. The general rule of thumb is that system owners are free to provide their own value, so long as it “equals or exceeds” the DoD-specified “minimum.”

Step 6: Document Results

If automated tools like eMASS are in use, generating a System Security Plan report will provide documentation of the full Security Control Baseline. As is the case for the System Categorization, the System Owner should be prepared to brief the Authorizing Official (AO) on the Security Control Baseline if requested.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.