Introduction of the Risk Management Framework (RMF)
Transcript of Introduction of the Risk Management Framework (RMF)
1/4
Introduction of the Risk Management
Framework (RMF)
Managing Risk
Federal agencies are required to modernize their information technology infrastructure and
systems and recognize the increasing interconnectedness of federal information systems
and networks. Heads of agencies must manage risk at the agency level and across the
Executive Branch using the risk management and cybersecurity frameworks (more on this in
later weeks). Finally, a reinforcement of the Federal Information Security Modernization Act
(FISMA) of 2014 makes heads of agencies responsible and accountable for managing the
cybersecurity risk to their organizations.
A Comprehensive Roadmap
The National Institute of Standards and Technology (NIST) recently published an updated
Risk Management Framework (RMF), giving any organization a comprehensive roadmap to
seamlessly integrate cybersecurity, privacy, and supply-chain risk management processes.
Originally aimed at critical infrastructure and commercial organizations, the NIST RMF is
mandatory use by federal agencies and organizations handling federal data and information.
The keyword here is a process. Hence, the NIST RMF offers a way to manage risk. Using
RMF, an organization is able to create its own risk management strategy for managing (e.g.,
framing, assessing, responding to and monitoring) risk and delineate the boundaries for risk-
based decisions.
RMF Steps and NIST Publications
The RMF integrates security and risk management activities into the system development
life cycle. This risk-based approach to security control selection and specification considers
effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders,
policies, standards, or regulations. Several of the NIST Special Publications (SP) and
Federal Information Processing Standards (FIPS) are shown in the two outer rings (green
and blue) in Figure 1. The following activities related to managing organizational risk are
paramount to an effective information security program and can be applied to both new and
legacy systems.
As shown in the innermost white circle, the RMF prescribes a six-step process:
2/4
Step 1: Categorize
System – define the
environment and security
property value.
Step 2: Select Controls –
what are the appropriate
controls and overlays.
Step 3: Implement
Controls – define how
controls are implemented.
Step 4: Assess Controls –
determine if controls are
effective and identify risks.
Step 5: Authorize
System – risk-based
decision to authorize system for use.
Step 6: Monitor Controls – monitor for on-going compliance and progress toward
remediation.
Figure 1: RMF Steps and Associated NIST Publications
As depicted in Figure 1, there is also an important additional Prepare step for an
organization to effectively use the RMF process (Step 0). FIPS 199 describes how to
categorize an information system (Step 1). The FIPS 200 and NIST SP 800-53 documents
guide the selection of the appropriate set of controls and overlays (Step 2). An overlay is a
set of control customizations applicable to a group of organizations with common security
requirements such as Industrial Control Systems common in the utility, transportation,
chemical, pharmaceutical, process, and durable goods manufacturing industries. Multiple
additional NIST publications provide detail on how to implement controls (Step 3). The NIST
SP 800-53A shows how to assess the controls (Step 4). The NIST SP 800-37 describes the
system authorization which involves the acceptance, avoidance, mitigation or rejection of risk
from key decision-makers (Step 5). Also, numerous NIST SP publications including NIST
SP 800-137, NIST SP 800-37 and SP 800-53A specify how an organization monitors and
modifies the controls over time (Step 6). However, the RMF process can also be grouped
into phases.
3/4
RMF Phases vs. Steps
In addition to steps, the RMF process may also be viewed as four phases as shown in
Figure 2.
4/4
Figure 2: RMF Phases & Steps
Now, three of these phases (e.g., 2-
Assess, 3-Authorize, and 4-Monitor)
are equivalent to the three steps (e.g.,
4-Assess Controls, 5-Authorize
System, and 6-Monitor Controls),
respectively.
However, phase 1-Document
encompasses the first three steps (e.g.,
1-Categorize System, 2-Select
Controls, and 3-Implement Controls).
Although the Prepare step is missing, the yellow RMF region connecting each step and
aspects of the phase 1-Document may be seen as Step 0. Therefore, in this course, we will
cover each of the seven simplified steps (0-Prepare, 1-Categorize, 2-Select, 3-Implement, 4-
Assess, 5-Authorize, 6-Monitor) and one phase (1-Document), one each week.
A Strategic Imperative
The Office of Management and Budget (OMB) Circular A-130, Managing Information as a
Strategic Resource, addresses responsibilities for protecting federal information resources
and for managing Personally Identifiable Information (PII). It requires agencies to implement
the RMF and integrate privacy into the RMF process.
“While security and privacy are independent
and separate
disciplines, they are closely related, and it is
essential for agencies to take a
coordinated approach to
identifying and managing security and
privacy risks and complying with applicable
requirements….”
Thus, it is important to understand the security-privacy relationship as illustrated in the Venn
diagram of Cybersecurity Risks and Privacy Risks in Figure 3.
Figure 3: Relationship Between Cybersecurity and Privacy Risks
Cybersecurity risks are those that arise from unauthorized system behavior and privacy risks
are those that arise from authorized PII processing. At their intersection are the
8/14/2021
5/4
Cybersecurity PII; hence, why the RMF
process integrates both the security and
privacy controls for an organization.
Risk Management
Framework Overview
Now, to gain a deeper knowledge of the
RMF characteristics, conceptual view, risk
levels, security-privacy relationship, control types, and six steps, examine these slides.
RMF Overview Slides
(https://worldclassroom.webster.edu/courses/1402302/files/65379908/download?wrap=1)
(https://worldclassroom.webster.edu/courses/1402302/files/65379908/download?wrap=1)
References
Managing Risk - https://csrc.nist.gov/projects/risk-management/risk-management-
framework-(RMF)-Overview (https://csrc.nist.gov/projects/risk-management/risk-
management-framework-(RMF)-Overview)
1/2
FISMA, NIST, FedRAMP, ATO's. Review the basics to get sta…
Videos - Introduction of the Risk Management
Framework (RMF)
RMF Videos
View the following set of videos about RMF. All of the videos on this page include closed
captions. Click CC on each video to view the captions.
Key Aspects
This video (6:27) reviews the key aspects of the RMF process for organizations.
Overview - RMF
This next video (12:08) is an overview of RMF.
2/2
What is Risk Management Framework NIST 800 37
RMF Examples
Lastly, watch this video (9:50) for useful examples from an RMF expert.
Now, let us examine Step 1: Categorize System even further.
Risk Management Framework (RMF) Overview
1/4
Week 1: Categorize (Step 1)
Overview
The E-Government Act of 2002
(Public Law 107-347), called the
Federal Information
Management Security Act
(FISMA), recognized the
importance of information
security to the economic and
national security interests of the
United States. This regulation
directed the promulgation of
federal standards for information
and information systems 1)
security categorization and 2) minimum security requirements.
The first step, or starting point, in the risk management process is Categorize in Figure 1.
Figure 1: Risk Framework Steps
The purpose of the Categorize step is to inform organizational risk management processes
and tasks by determining the adverse impact to organizational operations and assets,
individuals, other organizations, and the Nation with respect to the loss of confidentiality,
integrity, and availability of organizational systems and the information processed, stored,
and transmitted by those systems. Let's take a look at the publication which describes how
to do security categorization - the Federal Information Processing Standard 199 (FIPS 199).
FIPS 199
First, the National Institute of Standards and Technology (NIST) was tasked with the
responsibility of developing standards to be used by all federal agencies to categorize all
information and information systems collected or maintained by or on behalf of each agency
based on the objectives of providing appropriate levels of information security according to a
range of risk levels. The FIPS 199 addresses this task of developing standards for
categorizing information and information systems. Security categorization standards for
information and information systems provide a common framework and understanding for
expressing security that, for the federal government, promotes (i) effective management and
2/4
1. Confidentiality - unauthorized disclosure of information.
2. Integrity - unauthorized modification or destruction of
information.
3. Availability - disruption of access to or use of information or
a system.
oversight of information security programs and (ii) consistent reporting to the Office of
Management and Budget (OMB) and Congress.
Categorization
Security categories are based on the potential impact of an organization should certain
events occur which jeopardize the information and information systems needed by an
organization to accomplish its assigned mission, protect its assets, fulfill its legal
responsibilities, maintain day-to-day functions, and protect individuals. Combining security
categories with vulnerability and threat information allows assessing organizational risk.
Security Objectives
The three security objectives include the protection from the loss of:
Federal agencies are required to assess their information systems in each of the above three
categories, rating each system as LOW, MODERATE or HIGH impact. The most severe
rating from any category becomes the information system's overall security categorization.
Potential Impact
There are three defined ratings of the potential impact on organizations or individuals should
there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). Their
application must take place within the context of each organization and the overall national
interest. Table 1 below shows the potential impact for each security objective. In a nutshell,
the operative words for LOW, MODERATE and HIGH ratings for all three security objectives
are limited, serious and severe or catastrophic adverse effect, respectively.
3/4
Table 1: Potential Impact for each Security Objective
Information and Information Types
An information type is a specific category of information such as privacy, medical,
proprietary, financial, investigative, contractor sensitive, security management defined by an
organization, or in some instances, by a specific law, executive order, directive, policy, or
regulation. Information is defined as an instance of an information type.
Applying Security Categorization to Information Types
The security category of an information type can be associated with both user information
and system information and can be applied to information in either electronic or non-
electronic form. It can also be used as input in considering the appropriate security category
of an information system.
The generalized format for expressing the Security Category (SC) of an information type is:
SC information type = {(Confidentiality, impact), (Integrity, impact), (Availability,
impact)}, where the acceptable values for impact are LOW, MODERATE, HIGH, or NOT
APPLICABLE (NA).
Security Categorization Examples
4/4
First is an organization managing public information on its web server. The organization
determines that there is no potential impact from a loss of confidentiality (i.e.,
confidentiality requirements are not applicable), a moderate potential impact from a loss
of integrity, and a moderate potential impact from a loss of availability.
The resulting SC of this information type is expressed as:
SC public info = {(Confidentiality, NA), (Integrity, MODERATE), (Availability,
MODERATE)}.
Therefore, the overall rating for the public web server is MODERATE.
Example - Law Enforcement Investigative System
Example - Contractor Acquisition System
Example - Public Web Server
Three different security categorizations exist for an organization's public web server, a law
enforcement organization's investigative system, and a large contractor organization's
acquisition system. Once the impact rating for each security objective has been
determined, the entire information system is assigned the highest impact rating. For
example, a {LOW, NA, NA} results in a LOW system, a {MODERATE, LOW, NA} results in a
MODERATE system, and a {HIGH, MODERATE, LOW} results in a HIGH system.
Click on each example to read more and see the result.
References
Information regarding the Categorize Step - (FIPS 199
(https://csrc.nist.gov/publications/detail/fips/199/final) , 800-37r2
(https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final) )
1/3
Week 1: Categorize (Step 1) Continued
Categorize Task List
To review, an abbreviated purpose of the Categorize step is to inform organizational risk
management processes and tasks by determining the adverse impact to organizational
operations and assets, individuals, other organizations, and the Nation. The following table
lists the tasks and expected outcomes for this step.
Table 2: Categorize Tasks and Outcomes
Tasks Outcomes
TASK C-1
SYSTEM DESCRIPTION
• The characteristics of the system are
described and documented.
TASK C-2
SECURITY
CATEGORIZATION
• A security categorization of the system,
including the information processed by the
system represented by the
organizationidentified information types, is
completed.
[Cybersecurity Framework:ID.AM-1;ID.AM-
2;ID.AM-3; D.AM-4;ID.AM-5]
• Security categorization results are
documented in the security, privacy, and
SCRM plans.
[Cybersecurity Framework: Profile]
• Security categorization results are
consistent with the enterprise architecture
and commitment to protecting organizational
missions, business functions, and
mission/business processes.
[Cybersecurity Framework: Profile]
• Security categorization results reflect the
organization’s risk management strategy.
TASK C-3
SECURITY
CATEGORIZATION
REVIEW AND
APPROVAL
• The security categorization results are
reviewed and the categorization decision is
approved by senior leaders in the
organization.
2/3
Each task, potential inputs, expected outputs, primary responsibility, and additional
discussion follows.
Categorize Task Details
System Description: Task C- 1 Document the characteristics of the
system
Potential Inputs: System design and requirements documentation; authorization
boundary information; list of security and privacy requirements allocated to the
system, system elements, and the environment of operation; physical or other
processes controlled by system elements; system element information; system
component inventory; system element supply chain information, including inventory
and supplier information; security categorization; data map of the information life
cycle for information types processed, stored, and transmitted by the system;
information on system use, users, and roles.
Expected Outputs: Documented system description.
Primary Responsibility: System Owner.
Discussion: A description of the system characteristics is documented in the
security and privacy plans, included in attachments to the plans, or referenced in
other standard sources for the information generated as part of the SDLC.
Duplication of information is avoided, whenever possible. The level of detail in the
security and privacy plans is determined by the organization and is commensurate
with the security categorization and the security and privacy risk assessments of the
system. Information may be added to or updated in the system description as it
becomes available during the system life cycle, during the execution of the RMF
steps, and as any system characteristics change.
Security Categorization: Task C-2 Categorize the system and document the security
categorization results
Security Categorization Review & Approval: Task C-3 Review and approve the
security categorization results and decision
3/3
Videos of Categorize
4/3
Risk Management Framework NIST 800 Step 1 Categorizat…
This video (2:26) explains what this step means for an organization wanting to get their
information system in the authorization-to-operate (ATO) status. Click CC to view captions
on the video.
This video (10:43) describes the Categorize step in more detail. Click CC to view captions on
the video.
The privacy and security control families are next.
1/5
Control Families
Security and Privacy Control Families
Security and privacy controls are the safeguards or countermeasures prescribed for
protecting information systems and organizations. Selecting the right controls is important
to avoid major implications on operations and assets for individuals, the organization, and
the Nation. Fortunately, NIST has clearly delineated a set of control families for any
organization to use in the NIST SP 800-53 publication.
NIST SP 800-53 provides a catalog of security and privacy controls for federal information
systems and organizations and a process for selecting controls to protect organizational
operations (including mission, functions, image, and reputation), organizational assets,
individuals, other organizations, and the Nation from a diverse set of threats including hostile
cyber attacks, natural disasters, structural failures, and human errors. The controls are
customizable and implemented as part of an organization-wide process that manages
information security and privacy risk. To integrate the risk management process throughout
the organization and more effectively address mission/business concerns, a three-tiered
approach is employed that addresses risk in Figure 1.
Figure 1: Three-
Tiered Risk
Management
Approach
Tier 1 provides a
prioritization of
organizational
missions/business
functions which in turn
drives investment
strategies and funding
decisions. Tier 2 includes defining the mission/business processes, determining security
categories, incorporating security requirements, and establishing an enterprise architecture.
The risk management framework (RMF) is the primary means for addressing risk at Tier 3.
The NIST SP 800-53 publication security controls focus on Step 2, the security control
selection process, in the context of this three-tier organizational risk management hierarchy.
The publication also describes how to develop specialized sets of controls, or overlays,
tailored for specific types of missions/business functions, technologies, or operational
environments. Finally, the catalog of security controls addresses security from both a
2/5
functionality perspective (the strength of security functions and mechanisms provided) and
an assurance perspective (the measures of confidence in the implemented security
capability). Addressing both security functionality and security assurance ensures that
information technology products and the information systems built from those products using
sound systems and security engineering principles are sufficiently trustworthy.
The twenty privacy and security control families are identified in Table 1.
Table 1: NIST Control Families
ID Family ID Family
AC Access Control MP Media Protection
AT Awareness and Training PA Privacy Authorization
AU
Audit and Accountability
PE
Physical and Environmental
Protection
CA
Assessment, Authorization,
& Monitoring
PL
Planning
CM Configuration Management PM Program Management
CP Contingency Planning PS Personnel Security
IA
Identification and
Authentication
RA
Risk Assessment
IP
Individual Participation
SA
System and Services
Acquisition
IR
Incident Response
SC
System and Communications
Protection
MA
Maintenance
SI
System and Information
Integrity
Each is categorized by identification (ID) and family name (Family). The number of controls
in each family varies from five (5) in AT Awareness Training to forty-four (44) in SC System
and Communications Protection. But fear not, we will examine a set of families each week
to learn them all except the ten (10) privacy-related controls and seven (7) control
enhancements in IP Individual Participation (6 controls, 5 enhancements) and PA Privacy
Authorization (4 controls, 2 enhancements) since these were neither defined in the NIST SP
800-53 Rev 4 publication nor included in the minimum requirements.
Grouping Control Families
3/5
The controls in each family may be grouped in various ways. Three different ways are
according to time, objective, and responsibility.
TIME GROUPING
One way to group controls is based on their time relative to a security incident or event.
These groupings are:
1) Preventative (before the event): intended to prevent an incident (e.g. lock out
unauthorized intruders);
2) Detective (during the event): intended to identify and characterize an incident (e.g. sound
intruder alarm and alert the security guards or police);
3) Corrective (after the event): intended to limit the extent of any damage (e.g. recover to
normal status as efficiently as possible).
OBJECTIVE GROUPING
A second way is to group by their objective or nature. Essentially, this is by their involvement
with people, technology, processes, or compliance:
1) Privacy: involves protections when processing sensitive information (e.g. privacy laws,
policies and clauses);
2) Management: involves strategic management of risk and information system security
(e.g. oversight, governance laws, regulations, and policies);
3) Operational: involves people and/or operational processes (e.g. incident response
processes, security awareness and training);
4) Technical: involves system hardware, software, or firmware (e.g. user authentication and
logical access controls, antivirus software, firewalls).
For example, a common grouping of the NIST control families could be privacy (AP, AR, DI,
DM, IP, SE, TR, UL), management (CA, PL, PM, RA, SA), operational (AT, CP, IR, MP, PE,
PS), and technical (AC, AU, CM, IA, MA, SC, SI) as shown in Figure 2. Hence, if most
controls in the family are of a certain nature, the family is grouped thusly. Note that in the
privacy group, only two families of AP (same as PA) and IP are defined by NIST; however,
the majority of other privacy controls (AR, DI, DM, SE, TR, and UL) are not.
Figure 2: Family Grouping by Control Objective
The RMF set of security controls are often separated into management, operational, and
technical controls. There is also a set of privacy controls. Of course, the privacy and
security controls overlap. Understanding this grouping will be important throughout this
course since it is a very practical way to view the NIST control families.
4/5
RESPONSIBILITY GROUPING
A third way is to group by responsibility:
1) Common: inheritable by multiple information systems when receiving protection from the
implemented control but the control is developed, implemented, assessed, authorized, and
monitored by other entities. Common controls may include technology-based controls (e.g.,
boundary protection, AC, IA) and cross-domain solution controls. Organizations assign
responsibility for common controls to appropriate officials often called the Common Control
Provider.
2) System-specific: a set of security controls for a specific information system. The
primary responsibility is a System Owner and the Authorizing Official for a specific system.
3) Hybrid (shared): part common and part system-specific. The division may vary by
organization, depending on the types of information technologies employed, assignment of
responsibilities, and the methods used by the organization to manage its controls. The
sharing of the control responsibility is agreed upon in advance.
Understanding the NIST responsibility grouping is especially critical during the RMF select,
implement, assess, authorize, and monitor steps. The reason is each control in the family
must be assigned according to who is responsible for it. If the control is missing or deficient,
then it is up to the responsible party to take timely remedial action to ensure the
5/5
authorization of the information system and maintain an acceptable risk determination for
organizational use.
Review - Slideshow
Review these slides to learn more about control applicability, families, structure, and
baselines.
Control Families Overview
(https://worldclassroom.webster.edu/courses/1402302/files/65379931/download?wrap=1)
Next, let's examine our first control family, namely PE!
1/8
Week 1: Physical and Environmental (PE)
Physical and Environmental (PE) Control Family
Baselines
We will now examine in detail the Physical and Environmental (PE) Protection Control Family
baselines, a set of 20 controls. The PE family is mostly operational controls.
The column headings from left to right include the control number (PE-1 to PE-20), control
name (unique), priority code (P0 to P3), and baselines (LOW, MODERATE, and HIGH
impact systems). The priority P1/P2/P3 means the control should be assigned to the
baseline 1st/2nd/3rd whereas P0 means do not assign to any baseline.
Table 1: Three Baselines for the PE Family
No. Control Priority LOW MODERATE
PE-1
(https://nvd.nist.gov/800-
53/Rev4/control/PE-1)
PHYSICAL AND
ENVIROMENTAL
POLICY AND
PROCEDURES
P1 PE-1 PE-1
PE-2
(https://nvd.nist.gov/800-
53/Rev4/control/PE-2)
PHYSICAL
ACCESS
AUTHORIZATIONS
P1 PE-2 PE-2
PE-3
(https://nvd.nist.gov/800-
53/Rev4/control/PE-3)
PHYSICAL
ACCESS
CONTROL
P1 PE-3 PE-3
PE-4 ACCESS P1
PE-4
(https://nvd.nist.gov/800- CONTROL FOR
53/Rev4/control/PE-4) TRANSMISSION
MEDIUM
PE-5
(https://nvd.nist.gov/800-
53/Rev4/control/PE-5)
ACCESS
CONTROL FOR
OUTPUT DEVICES
P2
PE-5
2/8
No. Control Priority LOW MODERATE
PE-6 MONITORING P1 PE-6 PE-6 (1
(https://nvd.nist.gov/800- PHYSICAL (https://nvd.nist.gov/800-
53/Rev4/control/PE-6) ACCESS 53/Rev4/control/PE-6?
baseline=moderate#enhanc
1) )
PE-7
(https://nvd.nist.gov/800-
53/Rev4/control/PE-7)
VISITOR
CONTROL
PE-8
(https://nvd.nist.gov/800-
53/Rev4/control/PE-8)
VISITOR ACCESS
RECORDS
P3 PE-8 PE-8
PE-9
(https://nvd.nist.gov/800-
53/Rev4/control/PE-9)
POWER
EQUIPMENT AND
CABLING
P1
PE-9
PE-10
(https://nvd.nist.gov/800-
53/Rev4/control/PE-10)
EMERGENCY
SHUTOFF
P1
PE-10
PE-11
(https://nvd.nist.gov/800-
53/Rev4/control/PE-11)
EMERGENCY
POWER
P1
PE-11
PE-12
(https://nvd.nist.gov/800-
53/Rev4/control/PE-12)
EMERGENCY
LIGHTING
P1 PE-
12
PE-12
3/8
No. Control Priority LOW MODERATE
PE-13
(https://nvd.nist.gov/800-
FIRE
PROTECTION
P1 PE-
13
PE-13 (3
(https://nvd.nist.gov/800-
53/Rev4/control/PE-13) 53/Rev4/control/PE-13?
baseline=moderate#enhanc
3) )
PE-14
(https://nvd.nist.gov/800-
53/Rev4/control/PE-14)
TEMPERATURE
AND HUMIDITY
CONTROLS
P1 PE-
14
PE-14
PE-15
(https://nvd.nist.gov/800-
WATER DAMAGE
PROTECTION
P1 PE-
15
PE-15
53/Rev4/control/PE-15)
PE-16
(https://nvd.nist.gov/800-
DELIVERY AND
REMOVAL
P2 PE-
16
PE-16
53/Rev4/control/PE-16)
PE-17
(https://nvd.nist.gov/800-
ALTERNATE
WORK SITE
P2
PE-17
53/Rev4/control/PE-17)
PE-18
(https://nvd.nist.gov/800-
53/Rev4/control/PE-18)
LOCATION OF
INFORMATION
SYSTEM
COMPONENTS
P3
PE-19
(https://nvd.nist.gov/800-
INFORMATION
LEAKAGE
P0
53/Rev4/control/PE-19)
PE-20
(https://nvd.nist.gov/800-
53/Rev4/control/PE-20)
ASSET
MONITORING
AND TRACKING
P0
In terms of priority, out of 20 PE controls, there are 12 P1's (60%), 3 P2's (15%), 2 P3's
(10%), 2 P0's (10%); hence, at most 17 controls (85%) are assignable to baselines in Table
1.
4/8
Low baseline: 10 controls PElowcontrols = {PE-1, PE-2, PE-3, PE-
6, PE-8, PE-12, PE-13, PE-14, PE-15, PE-16} and zero control
enhancements or PElowenhancements = {} are selected.
Moderate baseline: 16 controls PEmoderatecontrols = PElowcontrols
U {PE-4, PE-5, PE-9, PE-10, PE-11, PE-17} and 2 control
enhancements PEmoderatenhancements = {PE-6(1), PE-13(3)} are
selected.
High baseline:17 controls PEhighcontrols = PEmoderatecontrols U
{PE-18} and 9 control enhancements PEhighenhancements =
PEmoderatenhancements U {PE-3(1), PE-6(4), PE-8(1), PE-11(1), PE-
13(1), PE-13(2), PE-15(1)}.
The control PE-7 Visitor Control was withdrawn and incorporated into the PE-2 Physical
Access Authorization and PE-3 Physical Access Control controls. This makes sense since
properly authorizing and controlling the physical access of visitors achieves the desired
visitor control security objective. Also, note that NIST SP 800-53 revision 5 added PE-21
Electronic Pulse Detection and PE-22 Component Marking which have been excluded from
this example.
Anyway, as the potential impact rating goes from LOW to HIGH the number of controls
increases from 10 to 17 and the number of control enhancements increases from 0 to 9 as
shown in Table 2.
Table 2: Selected PE
Controls/Enhancements by Baseline
Impact
Baseline
# of
Controls
# of
Enhancements
LOW 10 0
MODERATE 16 2
HIGH
17
9
PE-1 Physical and Environmental Policy and Procedures
Let's take a deeper look at the PE-1 Physical and Environmental Policy and Procedures.
Now, the 1st control of nearly all control families requires policy and procedures. Each
control has five parts including the control description, the supplemental guidance, related
controls, control enhancements, and references.
5/8
For the PE-1 control description, the organization develops, documents, and disseminates to
[Assignment: organization-defined personnel or roles] the policies and procedures. The PE
policy addresses the purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance. The PE procedures facilitate the
implementation of the policy and associated protection controls. The organization also
reviews and updates the current policy and procedures on an [Assignment: organization-
defined frequency]. Note the two organization-specific assignment parameters for personnel
and frequency. For example, the assigned personnel may be all employees and frequency
annually.
The supplemental guidance is the establishment of policy and procedures for the effective
implementation of selected security controls and control enhancements in the PE family.
Policy and procedures reflect applicable federal laws, Executive Orders, directives,
regulations, policies, standards, and guidance. Security program policies and procedures at
the organization level may make the need for system-specific policies and procedures
unnecessary. The policy can be included as part of the general information security policy for
organizations or conversely, can be represented by multiple policies reflecting the complex
nature of certain organizations. The procedures can be established for the security program
in general and for particular information systems if needed. The organizational risk
management strategy is a key factor in establishing policies and procedures.
A related PE-1 control is PM-9 (https://nvd.nist.gov/view/800-53/Rev4/control?
controlName=PM-9) Risk Management Strategy. Hence, the strength of PE-1 depends on
how well this control is implemented. Lastly, there are no enhancements for PE-1; therefore,
let us examine the PE-6 Monitoring Physical Access control next which does have
enhancements.
PE-6 Control Enhancements (Monitoring Physical Access)
Now let's discuss the first addition of the control enhancements of PE-6. The control PE-6
Monitoring Physical Access is described as monitoring facility access and responding to
incidents, reviewing access logs, and coordinating results of reviews and investigations. The
supplemental guidance states to monitor publicly accessible areas using guards, video
cameras or sensor devices.
The PE-6 related controls include CA-7 (https://nvd.nist.gov/view/800-53/Rev4/control?
controlName=CA-7) Continuous Monitoring, IR-4 (https://nvd.nist.gov/view/800-
53/Rev4/control?controlName=IR-4) Incident Handling and IR-8
(https://nvd.nist.gov/view/800-53/Rev4/control?controlName=IR-8) Incident Response Plan.
Hence, the PE-6 controls depend on how well these three controls are implemented.
Four control enhancements will be discussed; however, only (1 (https://nvd.nist.gov/800-
53/Rev4/control/PE-6?baseline=moderate#enhancement-1) ) and (4 (https://nvd.nist.gov/800-
53/Rev4/control/PE-6?baseline=high#enhancement-4) ) are included in the baselines. In Table
6/8
3, the column headings are the enhancement number, name, description, related controls,
and any organizational attributes.
Table 3: PE-6 HIGH Baseline Enhancements (excluding (2) and (3))
Enhancement Number
Name
Description
Related Controls
(1
(https://nvd.nist.gov/800-
53/Rev4/control/PE-6?
baseline=moderate#enhancement-
1) )
INTRUSION
ALARMS AND
SURVEILLANCE
EQUIPMENT
Monitor
physical
access to
the facility
where the
system
resides
using
physical
intrusion
alarms
and
surveillance
equipment.
n/a
(2)
AUTOMATED
INTRUSION
RECOGNITION
AND
RESPONSES
Employ
automated
mechanisms
to recognize
[Assignment:
organization-
defined
classes or
types
of intrusions]
and initiate
[Assignment:
organization-
defined
response
actions]
SI-4
(https://nvd.nist.gov/800-
53/Rev4/control/SI-4)
(3) VIDEO Employ n/a
SURVEILLANCE video
surveillance
of
[Assignment:
organization-
7/8
Enhancement 1 - PE- 6 Intrusion Alarms & Surveillance Equipment
defined
operational
areas] and
retain
video
recordings
for
[Assignment:
organization-
defined time-
period].
(4
(https://nvd.nist.gov/800-
53/Rev4/control/PE-6?
baseline=high#enhancement-4) )
MONITORING
PHYSICAL
ACCESS TO
SYSTEMS
Monitor
physical
access to
the system
in addition to
the physical
access
monitoring of
the facility
at
[Assignment:
organization-
defined
physical
spaces
containing
one or more
components
of the
system].
PS-2
(https://nvd.nist.gov/800-
53/Rev4/control/PS-2)
, PS-3
(https://nvd.nist.gov/800-
53/Rev4/control/PS-3)
PE-6(1 (https://nvd.nist.gov/800-53/Rev4/control/PE-6?baseline=moderate#enhancement-1) )
is required for the MODERATE baseline and both PE-6(1 (https://nvd.nist.gov/800-
53/Rev4/control/PE-6?baseline=moderate#enhancement-1) ) and PE-6(4
(https://nvd.nist.gov/800-53/Rev4/control/PE-6?baseline=high#enhancement-4) ) are required
for the HIGH baseline.
Click each tab to expand and read about the enhancements.
8/8
The first enhancement PE-6(1 (https://nvd.nist.gov/800-53/Rev4/control/PE-6?
baseline=moderate#enhancement-1) ) is simply the existence of an alarm system.
Enhancement 2 - PE-6 Automated Intrusion Recognition & Response
Enhancement 3 - PE-6 Video Surveillance
Enhancement 4 - PE-6 Monitoring Physical Access to Systems
Explore the on-line publications to more fully understand the remaining PE
(https://nvd.nist.gov/800-53/Rev4/family/Physical%20and%20Environmental%20Protection)
controls and control enhancements.
References
Information about PE families - 800-53r4 (https://csrc.nist.gov/publications/detail/sp/800-
53a/rev-4/final)