Professional Documents
Culture Documents
Attachment M
Version 11.0
August 5, 2014
5.5 September 30, 2007 Updated Excel spreadsheet named M – 800-53 Controls to include control
enhancements. Updated date and version number to coincide with current
Handbook.
7.1 June 21, 2010 Major update to Excel object to bring in line with NIST SP 800-53, Rev 3.
Combined both worksheets.
CONTENTS
1.0 Introduction ............................................................................................................................................................... 1
1.0 INTRODUCTION
National Institute of Standards and Technology (NIST) Federal Information
Processing Standards Publications (FIPS PUB) are standards adopted and
promulgated under the provisions of Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law (P.L.) 104-106, and the Federal
Information Security Management Act (FISMA) of 2002, P.L. 107-347.
DHS amplifies the FIPS PUB 199 high-water mark requirement to reflect actual
security requirements, a Department-level risk-based decision that is consistent
with FISMA policy, which requires Federal agencies to “cost-effectively reduce
information security risks to an acceptable level.” 1 The policy amplification is also
consistent with the NIST information security guidance that promotes the concept
of “risk-based decisions.”
1
FISMA §3544.(b)(2)(B)
Important note: As per NIST SP 800-53 guidance for tailoring the baseline controls:
2
NIST SP 800-53 Section 3.2, page 30.
3
NIST SP 800-53 Section 3.2, page 31, paragraph 2.
Considerations include:
- Mobility
- Public Access
• Security Objective
Security controls that support only one or two of the confidentiality, integrity,
or availability security objectives may be downgraded to the corresponding
control in a lower baseline (or modified or eliminated if not defined in a lower
baseline) only if the downgrading action:
1. Reflects the FIPS PUB 199 security category for the supported security
objective(s) before moving to the FIPS PUB 200 impact level (i.e., high-
water mark);
3. Does not adversely affect the level of protection for the security-
relevant information within the information system.
• Technology
• Mission Requirements
• Cross-domain services;
• Mobility;
• Classified information.
NIST SP 800-53
Tailoring.xlsx