Security and privacy control effectiveness addresses the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the designated security and privacy requirements.
An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information [OMB A-130].
Controls provide safeguards and countermeasures in systems security and privacy engineering processes to reduce risk during the system development life cycle.
Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders.
Controls are selected and implemented by the organization in order to satisfy the system requirements.
Controls can include administrative, technical, and physical aspects.
For ease of use in the security and privacy control selection and specification process, controls are organized into 20 families.
Of the 20 control families in NIST SP 800-53, 17 are aligned with the minimum security requirements in [FIPS 200].
The Program Management (PM), PII Processing and Transparency (PT), and Supply Chain Risk Management (SR) families address enterprise-level program management, privacy, and supply chain risk considerations pertaining to federal mandates emergent since [FIPS 200].
Security and privacy controls are selected and implemented to satisfy security and privacy requirements levied on a system or organization.
Security controls are the safeguards or countermeasures employed within a system or an organization to protect the confidentiality, integrity, and availability of the system and its information and to manage information security risk.
Privacy controls are the administrative, technical, and physical safeguards employed within a system or an organization to manage privacy risks and to ensure compliance with applicable privacy requirements.
Security and privacy requirements are derived from applicable laws, executive orders, directives, regulations, policies, standards, and mission needs to ensure the confidentiality, integrity, and availability of information processed, stored, or transmitted and to manage risks to individual privacy.
Information systems that have been designated as national security systems, as defined in 44 U.S.C., Section 3542, are not subject to the requirements in [FISMA]. However, the controls established in this publication may be selected for national security systems as otherwise required (e.g., the Privacy Act of 1974) or with the approval of federal officials exercising policy authority over such systems.
[CNSSP 22] and [CNSSI 1253] provide guidance for national security systems.
[DODI 8510.01] provides guidance for the Department of Defense.
Finally, the controls are independent of the process employed to select those controls. The control selection process can be part of:
an organization-wide risk management process,
a systems engineering process [SP 800-160-1],
the Risk Management Framework [SP 800-37],
the Cybersecurity Framework [NIST CSF], or
the Privacy Framework [NIST PF].
The control selection criteria can be guided and informed by many factors, including mission and business needs, stakeholder protection needs, threats, vulnerabilities, and requirements to comply with federal laws, executive orders, directives, regulations, policies, standards, and guidelines.
Control Implementation Approaches
There are three approaches to implementing the controls in Chapter Three:
(1) a common (inheritable) control implementation approach,
(2) a system-specific control implementation approach, and
(3) a hybrid control implementation approach.
The determination as to the appropriate control implementation approach (i.e., common, hybrid, or system-specific) is context-dependent.
Common controls are controls whose implementation results in a capability that is inheritable by multiple systems or programs.
System-specific controls are the primary responsibility of the system owner and the authorizing official for a given system.
Organizations can implement a control as hybrid if one part of the control is common (inheritable) and the other part is system-specific.
[SP 800-37] provides additional guidance on control implementation approaches (formerly referred to as control designations) and how the different approaches are used in the Risk Management Framework.
Trustworthiness, in this context, means worthy of being trusted to fulfill whatever requirements may be needed for a component, subsystem, system, network, application, mission, business function, enterprise, or other entity.
Two fundamental concepts that affect the trustworthiness of systems are functionality and assurance.
Functionality is defined in terms of the security and privacy features, functions, mechanisms, services, procedures, and architectures implemented within organizational systems and programs and the environments in which those systems and programs operate.
Assurance is the measure of confidence that the system functionality is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system—thus possessing the capability to accurately mediate and enforce established security and privacy policies.