The first step in selecting security controls for the information system is to choose an initial set of baseline security controls based on the impact level of the information system as determined by the security categorization performed in step 1. The organization selects one of three sets of baseline security controls from the security control catalog in NIST SP 800-5320 corresponding to the low- impact, moderate-impact, or high-impact rating of the information system as described in NIST SP 800-53B.21 Note NIST foregoes the traditional security objectives of confidentiality, integrity, and availability used in FIPS 199 for system categorization and uses sensitivity and criticality instead. NISTIR 7298 r2 defines sensitivity as a “measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection,”22 and criticality as a “measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.”23 HITRUST subsequently correlates confidentiality (and privacy) requirements to sensitivity, and integrity and availability requirements to criticality.
After selecting the initial set of baseline security controls, the organization starts the tailoring process to appropriately modify and more closely align the controls with specific conditions within the organization (i.e., conditions specific to the information system or its environment of operation). The tailoring process includes:
- Applying scoping guidance to the initial baseline security controls to obtain a preliminary set of applicable controls for the tailored baseline;
- Selecting (or specifying) compensating security controls, if needed, to adjust the preliminary set of controls to obtain an equivalent set deemed to be more feasible to implement; and
- Specifying organization-defined parameters in the security controls via explicit assignment or selection of statements to complete the definition of the tailored baseline.
Although the security control selection process is generally focused on the information system, NIST states the selection process is also applicable at the organizational and mission/business process levels. General guidance in applying the NIST RMF at these levels may be found in NIST SP 800-39.24 However, the tailoring process described in NIST SP 800-53B is neither prescriptive nor managed, which does little to guarantee tailoring is performed consistently from one organization to the next or, more often than not, that tailoring is performed at all.
In addition to those publications already addressed, related RMF publications include but are not necessarily limited to NIST SP 800-171 Rev. 225 and NIST SP 800-172.26
20 Joint Task Force, JTF (2020, Sep). Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Rev. 5). Gaithersburg, MD: NIST.
21 Joint Task Force, JTF (2020, Oct). Control Baselines for Information Systems and Organizations (NIST SP 800-53B). Gaithersburg, MD: NIST.
22 NIST (2022b).
23 Ibid.
24 JTF TI (2011, Mar). Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39). Gaithersburg, MD: NIST.
25 Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., and Guissanie, G. (2020, Feb). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171 Rev.2). Gaithersburg, MD: NIST.
26 Ross, R., Pillitteri, V., Guissanie, G., Wagner, R., Graubart, R., and Bodeau, D. (2021, Feb). Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (NIST SP 800-172). Gaithersburg, MD: NIST.