Security Control Spotlight: A Little Good News?

Article by Kathryn Farrish, CISSP

Imagine this dialog between Edward, a System Owner, and Christine, his Information System Security Manager (ISSM):

Edward (System Owner):“Now that we’ve completed our System Categorization, have you built the Security Control Baseline for our system?”

Christine (ISSM): “Yes, sir, I have. Our system has been categorized as “Moderate -Moderate-Moderate (M-M-M)”. There are about 400 Security Controls in our baseline, and these break down into a little over 1,600 CCIs (Control Correlation Identifiers, roughly equivalent to assessment objectives).”

Edward: “So we need implementation statements and documentation artifacts supporting 1,600 items?”

Christine: “I’m afraid so. But I do have good news. I just saved 15% on my car insurance…………..”

Oh, wait, wrong dialog. What she really said was:

Christine: “I’m afraid so. But I do have good news. About 25% of those have been declared ‘automatically compliant’ by DoD!”

Automatically compliant?” What exactly does that mean? Simply put, it means that every DoD system is compliant by virtue of an existing policy or procedure at the DoD level.

Let’s look at a couple of examples:

CCI-000101 (part of security control AT-1) states: “The organization disseminates a security awareness and training policy to organization-defined personnel or roles.” The DoD-provided assessment procedure for this CCI states: “DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.” In other words, the existence of the DoD-level policy gives Security Control Spotlight—A Little Good News? By Kathryn M. Farrish, CISSP every DoD system an automatic “pass” on this CCI.

CCI-000348 (part of control enhancement CM -5(2)) states: “The organization defines a frequency to conduct reviews of information system changes.” The DoD-provided assessment procedure for this CCI states: “The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems.” In other words, the existence of DoD-mandated minimum review frequencies gives every DoD system an automatic “pass”.

In most cases, only one or two of the CCIs associated with a particular control will be automatically compliant. The system owner will still be responsible for implementation and documentation artifacts to address the remainder of the control.

Even after subtracting the automatically compliant items, there is still a frighteningly large number of items that must be addressed by the system owner. Still, we’ll take any “freebies” we can get!

Just for fun, here are the statistics on automatic compliance for a few of the possible system categorizations:

Moderate-Moderate-Moderate system:

  • 403 controls/enhancements
  • 1,631 CCIs total
  • 426 automatically compliant CCIs (26%)

Moderate-Moderate-Low system:

  • 381 controls/enhancements
  • 1,584 CCIs total
  • 419 automatically compliant CCIs (26%)

Low-Low-Low system:

  • 310 controls/enhancements
  • 1,376 CCIs total
  • 388 automatically compliant CCIs (28%)

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.