Security Control Baseline “Tabletop Review”

By Lon J. Berman, CISSP at BAI Information Security

Let’s take a look at some strategies for reviewing the Security Control Baseline and creating “action plans” for implementation.

The “Raw Materials”

An effective review starts with the right materials. You’ll need two spreadsheets to work with:

  • Security Controls
  • Assessment Procedures (CCIs)

Using the Security Controls Explorer in the RMF Knowledge Service (, you can create these spreadsheets simply by entering your system categorization levels for Confidentiality, Integrity and Availability.

The Security Controls spreadsheet has a row for each control and control enhancement in the baseline. The Assessment Procedures spreadsheet shows the “breakdown” of each control (or control enhancement) into one or more assessment objectives. Note that each assessment objective is also identified by a Control Correlation Identifier (CCI).

These spreadsheets can also be used to record the results of the tabletop review. At a minimum, there should be columns for:

  • Compliant, Non-compliant or NA
  • Responsibility
  • Implementation/justification
  • Documentation Reference

Strategy for Review

The general strategy for the review is to systematically go through each of the controls in the baseline (using the related assessment procedures as additional supporting material) and make a determination of applicability, responsibility, compliance, and documentation.

For each control (and/or control enhancement) in the baseline:

1. Understand the intent

Read and understand the general intent of the control. Take note of any Organization-defined Values that may need to be filled in (see below).

2. Assess inheritance

If your system is hosted at a data center or equivalent, determine if the control can be inherited. Your hosting site should be able to provide a list of controls you can inherit—typically these would include physical, environmental and network controls.

3. Assess overall applicability and responsibility

Determine if the control applies to your system. Certain controls reference specific technologies (e.g., wireless access or public website access) that may not be a part of your system. If the control is deemed “Not Applicable”, develop a short justification (typically a sentence or two).

If the control is deemed applicable, make a determination as to the individual or organization responsible for implementing/documenting it.

4. Review each Assessment Procedure (CCI) comprising the control

4a. Read and understand the general intent of the CCI; take note of any organization-defined values that are provided by DoD (typically in the form of a sentence beginning with “DoD has defined…”).

4b. Note any CCI that is considered “automatically compliant” by DoD.

4c. Determine applicability. In some cases, one or more CCIs may be NA even though the control as a whole is considered applicable.

4d. Is the capability reference by the CCI implemented within your system?

  • If YES, write a short statement (a sentence or two) explaining how the CCI is implemented within your system.
  • If NO, mark the CCI as “Non-compliant (not implemented)”; further action will be required to remediate or mitigate this finding.

4e. Is the capability referenced by the CCI documented in an existing Plan or SOP?

  • If YES, make note of the relevant document name and paragraph/section number (be as specific as possible).
  • If NO, mark the CCI as “Non-compliant (needs documentation)”; further action will be required to identify the relevant document and revise appropriately.

Expect to spend considerable time on the tabletop review, but do not allow yourself to get bogged down on a particular control or CCI. If responsibility or compliance cannot be readily determined, make a note of this and move on.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.