What Are CCIs and Why Should I Care About Them?

By Kathryn M. Farrish, CISSP

One of the more recent information security innovations is the Control Correlation Identifier, or CCI. Each CCI provides a standard identifier and description for “singular, actionable statements” that comprise a security control or security best practice.

The purpose of CCIs is to allow a high level statement made in a policy document (i.e., a security control) to be “decomposed” and explicitly associated with the low-level security settings that must be assessed to determine compliance with the objectives of that specific statement.

Under the leadership of the Defense Information Systems Agency (DISA), a working group has been cataloging CCIs for the past several years. The collection has now been developed to the point that every assessment objective in the NIST SP 800-53A has been mapped to an individual CCI.

The current list of CCIs can be downloaded in XML format (viewable in a web browser such as Internet Explorer). The URL for downloading is: https:// iase.disa.mil/stigs/cci/Pages/index.aspx.

DISA encourages feedback from the information security community; a comment form is provided for that purpose.

Here is an example of a CCI:

CCI: CCI-001239 Status: Draft Contributor: DISA FSO Date: 2009-09-22 Type: Technical Definition: The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media or other common means or inserted through exploitation of information system vulnerabilities. References: NIST SP 800-53 SI-3.a NIST SP 800-53A SI-3.1(ii)

DISA is also in the process of revising numerous Security Technical Implementation Guides (STIGs) to include references to CCIs that correspond to each of the recommended configuration settings.

With the success of the CCI effort comes some hope that at least a portion of the effort associated with RMF assessment can be automated!

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.

Posted in: