By Lon J. Berman, CISSP, RDRP
So, you’ve got your System Categorization completed and you’ve included any applicable overlays. You’ve reviewed all the resulting security controls to see if any of them should be marked Not Applicable, and, for those, you’ve written a justification. You’ve even gone through the security controls “catalog” in NIST SP 800-53 to see if there are any security controls that should be added to your baseline!
Good job! Your security control baseline is complete and ready for approval by your Authorizing Official.
Uh … not so fast! If you haven’t accounted for all the applicable Security Technical Implementation Guides (STIGs), your security control baseline may not be as complete as you thought.
As you probably know, there are STIGs that apply to numerous software components and processes within your system boundary, such as your operating systems (Windows, UNIX, etc.), database management systems (Oracle, SQL Server, etc.), web servers (Apache, Microsoft IIS, etc.), web browsers (Edge, Chrome, etc.)), commercial off-the-shelf software (COTS) products (Microsoft Office, Java, Microsoft .NET framework), network devices (firewalls, switches, etc.) and even software design/development (Application Security and Development, etc.).
Each STIG contains numerous (frequently hundreds) of individual items that may entail specific system settings or file permissions, system management processes, etc. Among the numerous pieces of information included with each STIG item is a “mapping” to a particular CCI (i.e., a sub-part of a security control). If that particular control is not currently part of your system’s security control baseline, it needs to be added!
So, until all STIGs are accounted for, you cannot state with confidence that your security control baseline is complete. Depending on your system categorization level and the number of applicable STIGs, you may find a substantial number of new controls will be added.
If your organization uses the eMASS tool to manage your RMF package, you are fortunate in this respect. If you are properly importing your
STIG checklists into eMASS, the required controls will be automatically added to your security control baseline. You will then need to go back into each of the added security controls and provide responses (and artifact references) for those parts (CCIs) of the new controls that were not automatically covered by the STIG item.
I know, you’re probably thinking “Oh, just what I needed … more security controls to deal with!” Alas, I hate being the bearer of bad news.
But I do have some good news. I just saved 15% on my car insurance by switching to… 🙂