NIEF Ideal Set of Security Controls for Systems with a LOW-LOW-LOW Risk Profile, v1.0
Ideal profile of security controls from NIST Special Publication 800-53 r4 for systems that need to operate at a LOW-LOW-LOW impact level, as recommended by NIEF. Pertains to systems that operate at LOW confidentiality, LOW integrity, and LOW availability. Includes all applicable security controls from NIST SP 800-53 r4, regardless of Priority level. Incorporates security control downgrading guidance, as appropriate, based on recommendations on page 35 of NIST SP 800-53 r4.
| Identifier | https://trustmark.nief.org/tpat/tips/nief-ideal-set-of-security-controls-for-systems-with-a-low-low-low-risk-profile/1.0/ | ||||
| Publication Date | 2021-08-27 | ||||
| Issuing Organization |
NIEF (https://nief.org/)
View Contact
|
||||
| Keywords | 800-53, Ideal, LOW-LOW-LOW, NIST, NIEF, Security | ||||
| Legal Notice | This document and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein. |
Loading...
Trust Expression:
TIP_NIEFMinimalSetofSecurityControlsforSystemswithaLOWLOWLOWRiskProfile and TIP_ref1 and TIP_ref2 and TIP_ref3 and TIP_ref4 and TIP_ref5 and TIP_ref6 and TIP_ref7 and TIP_ref8 and TIP_ref9 and TIP_ref10 and TIP_ref11 and TIP_ref12 and TIP_ref13 and TIP_ref14 and TIP_ref15 and TIP_ref16 and TIP_ref17 and TIP_ref18 and TIP_ref19 and TIP_ref20 and TIP_ref21 and TIP_ref22 and TIP_ref23 and TIP_ref24 and TIP_ref25 and TIP_ref26 and TIP_ref27 and TIP_ref28 and TIP_ref29 and TIP_ref30 and TIP_ref31 and TIP_ref32 and TIP_ref33 and TIP_ref34 and TIP_ref35 and TIP_ref36 and TIP_ref37
References (38)
| TIP NIEF Minimal Set of Security Controls for Systems with a LOW-LOW-LOW Risk Profile, v1.0 | |
|---|---|
| Description | Minimal profile of security controls from NIST Special Publication 800-53 r4 for systems that need to operate at a LOW-LOW-LOW impact level, as recommended by NIEF. Pertains to systems that operate at LOW confidentiality, LOW integrity, and LOW availability. Includes only those applicable security controls from NIST SP 800-53 r4 that have been marked by NIST as Priority P1. Incorporates security control downgrading guidance, as appropriate, based on recommendations on page 35 of NIST SP 800-53 r4. |
| ID | TIP_NIEFMinimalSetofSecurityControlsforSystemswithaLOWLOWLOWRiskProfile |
| TIP NIST SP 800-53 r4 Security Control AC-7: Unsuccessful Logon Attempts, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control AC-7: Unsuccessful Logon Attempts. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref1 |
| TIP NIST SP 800-53 r4 Security Control AC-14: Permitted Actions Without Identification or Authentication, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control AC-14: Permitted Actions Without Identification or Authentication. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref2 |
| TIP NIST SP 800-53 r4 Security Control AC-22: Publicly Accessible Content, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control AC-22: Publicly Accessible Content. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref3 |
| TIP NIST SP 800-53 r4 Security Control AT-4: Security Training Records, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control AT-4: Security Training Records. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref4 |
| TIP NIST SP 800-53 r4 Security Control AU-11: Audit Record Retention, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control AU-11: Audit Record Retention. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref5 |
| TIP NIST SP 800-53 r4 Security Control CA-2: Security Assessments, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CA-2: Security Assessments. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref6 |
| TIP NIST SP 800-53 r4 Security Control CA-5: Plan of Action and Milestones, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CA-5: Plan of Action and Milestones. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref7 |
| TIP NIST SP 800-53 r4 Security Control CA-6: Security Authorization, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CA-6: Security Authorization. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref8 |
| TIP NIST SP 800-53 r4 Security Control CA-7: Continuous Monitoring, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CA-7: Continuous Monitoring. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref9 |
| TIP NIST SP 800-53 r4 Security Control CA-9: Internal System Connections, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CA-9: Internal System Connections. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref10 |
| TIP NIST SP 800-53 r4 Security Control CM-4: Security Impact Analysis, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CM-4: Security Impact Analysis. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref11 |
| TIP NIST SP 800-53 r4 Security Control CM-10: Software Usage Restrictions, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CM-10: Software Usage Restrictions. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref12 |
| TIP NIST SP 800-53 r4 Security Control CP-3: Contingency Training, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CP-3: Contingency Training. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref13 |
| TIP NIST SP 800-53 r4 Security Control CP-4: Contingency Plan Testing, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control CP-4: Contingency Plan Testing. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref14 |
| TIP NIST SP 800-53 r4 Security Control IA-2 (1): Network Access to Privileged Accounts, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-2 (1): Network Access to Privileged Accounts. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref15 |
| TIP NIST SP 800-53 r4 Security Control IA-2 (12): Acceptance of PIV Credentials, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-2 (12): Acceptance of PIV Credentials. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref16 |
| TIP NIST SP 800-53 r4 Security Control IA-5 (1): Password-Based Authentication, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-5 (1): Password-Based Authentication. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref17 |
| TIP NIST SP 800-53 r4 Security Control IA-5 (11): Hardware Token-Based Authentication, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-5 (11): Hardware Token-Based Authentication. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref18 |
| TIP NIST SP 800-53 r4 Security Control IA-6: Authenticator Feedback, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-6: Authenticator Feedback. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref19 |
| TIP NIST SP 800-53 r4 Security Control IA-8 (1): Acceptance of PIV Credentials from Other Agencies, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-8 (1): Acceptance of PIV Credentials from Other Agencies. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref20 |
| TIP NIST SP 800-53 r4 Security Control IA-8 (2): Acceptance of Third-Party Credentials, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-8 (2): Acceptance of Third-Party Credentials. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref21 |
| TIP NIST SP 800-53 r4 Security Control IA-8 (3): Use of FICAM-Approved Products, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-8 (3): Use of FICAM-Approved Products. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref22 |
| TIP NIST SP 800-53 r4 Security Control IA-8 (4): Use of FICAM-Issued Profiles, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IA-8 (4): Use of FICAM-Issued Profiles. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref23 |
| TIP NIST SP 800-53 r4 Security Control IR-2: Incident Response Training, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IR-2: Incident Response Training. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref24 |
| TIP NIST SP 800-53 r4 Security Control IR-7: Incident Response Assistance, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control IR-7: Incident Response Assistance. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref25 |
| TIP NIST SP 800-53 r4 Security Control MA-2: Controlled Maintenance, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control MA-2: Controlled Maintenance. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref26 |
| TIP NIST SP 800-53 r4 Security Control MA-4: Nonlocal Maintenance, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control MA-4: Nonlocal Maintenance. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref27 |
| TIP NIST SP 800-53 r4 Security Control MA-5: Maintenance Personnel, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control MA-5: Maintenance Personnel. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref28 |
| TIP NIST SP 800-53 r4 Security Control PE-8: Visitor Access Records, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control PE-8: Visitor Access Records. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref29 |
| TIP NIST SP 800-53 r4 Security Control PE-16: Delivery and Removal, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control PE-16: Delivery and Removal. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref30 |
| TIP NIST SP 800-53 r4 Security Control PL-4: Rules of Behavior, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control PL-4: Rules of Behavior. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref31 |
| TIP NIST SP 800-53 r4 Security Control PS-5: Personnel Transfer, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control PS-5: Personnel Transfer. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref32 |
| TIP NIST SP 800-53 r4 Security Control PS-6: Access Agreements, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control PS-6: Access Agreements. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref33 |
| TIP NIST SP 800-53 r4 Security Control PS-8: Personnel Sanctions, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control PS-8: Personnel Sanctions. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref34 |
| TIP NIST SP 800-53 r4 Security Control SA-4 (10): Use of Approved PIV Products, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control SA-4 (10): Use of Approved PIV Products. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref35 |
| TIP NIST SP 800-53 r4 Security Control SA-5: Information System Documentation, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control SA-5: Information System Documentation. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref36 |
| TIP NIST SP 800-53 r4 Security Control SI-12: Information Handling and Retention, v4 | |
|---|---|
| Description | Profile of requirements corresponding to NIST Special Publication 800-53, r4, Security Control SI-12: Information Handling and Retention. Applicable to LOW impact, MODERATE impact, and HIGH impact systems. |
| ID | TIP_ref37 |
Sources (1)
| SP800-53R4 | NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology, April 2013 (Includes updates as of 01-15-2014). Available at http://dx.doi.org/10.6028/NIST.SP.800-53r4. |
Terms (1)
| Term Name | Abbreviations | Definition |
|---|---|---|
| Null Term | Null | Just a spreadsheet test. |