By Lon J. Berman CISSP, RDRP
CNSSI 4009 defines Security Control Inheritance as “a situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application”.
The typical example of inheritance is that of a web application or other information system hosted within a government data center. The data center has established physical, environmental and network security protections such as door locks, guards, power controls, temperature controls, network boundary security, etc. These types of controls will typically inure to the benefit of all the information systems hosted within that data center. Establishing a formal “inheritance relationship” for these controls enables the data center’s compliance to be leveraged by the hosted systems, thus simplifying the RMF effort for each hosted system.
Another example of inheritance is that of an organization’s “front office” that has put in place various policies intended for use by subordinate entities within the organization. Each of the information systems owned by the subordinate entities can inherit compliance with specific security controls based on the existence of those organizational-level policies.
In many of the NIST publications dealing with RMF, inheritable controls are also referred to as “common controls” and an organization offering up common controls for inheritance is referred to as a “common control provider”.
In order for a specific system (we’ll call it “System A”) to inherit controls from a common control provider, all of the following must be true:
- The controls must be developed and implemented by an organization other than the system owner of “System A”
- The controls must be implemented outside the authorization boundary of “System A”
- There must be a formal agreement, such as a Memorandum of Agreement (MOA) or Service Level Agreement (SLA), in place between the system owner of “System A” and the provider
- The provider must be have been assessed and authorized in accordance with their department/agency’s RMF process; in other words, the common control provider needs to have Authorization to Operate (ATO)
Given requirement number 4, above, you might be wondering if commercial Cloud Service Providers, such as Amazon, are able to function as common control providers. The answer is Yes, and it is because they do have government ATOs through federal programs such as FedRAMP (for federal civil agencies) and the “DISA provisional authorization” that essentially extends the concept of FedRAMP into DoD.
Security controls most often offered up for inheritance by common control providers are in the Physical and Environmental (PE), Media Protection (MP) and Maintenance (MA) families. Depending on the specific common control provider, additional controls in other families may also be available for inheritance. Early in the process of establishing a hosting relationship with a data center or cloud service provider, system owners should request the list of security controls available for inheritance.
It is important to understand that inherited controls are not considered “automatically compliant”. What “System A” will actually inherit is the compliance status (i.e., compliant or non-compliant) of each inherited control. Inherited controls that are considered non-compliant by the provider will also be considered as non-compliant for “System A” and must therefore be documented on the “System A” Plan of Action and Milestones (POA&M). In that case, it could be said that “System A” inherits the risk from the common control provider.
Implementation of some security controls is best accomplished by a combined effort between the common control provider and the hosted system owner. For example, many data centers (common control providers) offer data backup services to their hosted customers. The data center’s role includes deployment of enterprise backup hardware/software, logistical arrangements for transportation of off-site backup media, etc. The hosted system owner’s role includes installation and configuration of backup agent software, etc. To accommodate this scenario, common control providers can offer up hybrid controls for inheritance, in which both the common control provider and the hosted system owner have a role.