Skip to main content
Engineering LibreTexts

2.3: Methodology

  • Page ID
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

    \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)

    \( \newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\)

    ( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\)

    \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)

    \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\)

    \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)

    \( \newcommand{\Span}{\mathrm{span}}\)

    \( \newcommand{\id}{\mathrm{id}}\)

    \( \newcommand{\Span}{\mathrm{span}}\)

    \( \newcommand{\kernel}{\mathrm{null}\,}\)

    \( \newcommand{\range}{\mathrm{range}\,}\)

    \( \newcommand{\RealPart}{\mathrm{Re}}\)

    \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)

    \( \newcommand{\Argument}{\mathrm{Arg}}\)

    \( \newcommand{\norm}[1]{\| #1 \|}\)

    \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)

    \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    \( \newcommand{\vectorA}[1]{\vec{#1}}      % arrow\)

    \( \newcommand{\vectorAt}[1]{\vec{\text{#1}}}      % arrow\)

    \( \newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

    \( \newcommand{\vectorC}[1]{\textbf{#1}} \)

    \( \newcommand{\vectorD}[1]{\overrightarrow{#1}} \)

    \( \newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}} \)

    \( \newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}} \)

    \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

    \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)

    Special Publication 800-171r2 utilizes FIPS-2001 and SP.800-53r52 as the basis for its recommended Security Requirements. FIPS-200 defines the minimal security requirements for Low, Medium and High-impact information systems as outlined in FIPS-1993. NIST SP.800-53r5 identifies twenty (20) ‘control families’. Control Families are security controls (applied to technology systems) which are operational, technical and management (i.e., administrative) safeguards used to protect the confidentiality, integrity and availability (CIA) of information systems and SP.800-171r2 utilizes a subset of these families. Control Families are groupings of security controls which address a specific security requirement. For example, Access Control deals with the methods, processes and/or procedures by which a user is granted access to a network or system.

    SP.800-171r2 (and by association SP.800-172/172A) omits4 seven control families contained in SP.800-53r5 that are specific to the federal government. It uses the remaining 13 ‘control families’ but also incorporates a single, unique control family (Security Assessment). Together, these 14 control families form the basis for its one hundred ten (110) security-control requirements.

    Table 1 displays SP.800-53r5 control families5. Those highlighted in gray/bold have been omitted from SP.800-171r2 security baseline requirements due to their unique ‘federal’ nature. Tailoring requirements in this manner makes application easier and results more accurate when applied to non-government sectors such as healthcare.

    Access Control

    Physical and Environmental Protection6

    Assessment, Authorization and Monitoring

    PII Processing and Transparency

    Audit and Accountability


    Awareness and Training

    Program Management

    Configuration Management

    Risk Assessment

    Contingency Planning

    System and Services Acquisition

    Identification and Authentication

    *Security Assessment7

    Incident Response

    System and Communications Protection


    System and Information Integrity

    Media protection

    Supply Chain Risk Management

    Personnel Security


    Table 1

    [1] NIST Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems. Released March, 2006

    [2] NIST SP.800-53r5, Security and Privacy Controls for Information Systems and Organizations. Released August 2017. Final draft published March, 2020

    [3] NIST Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, NIST. Released February, 2004

    [4] ]“…some of the security requirements expressed in the NIST standards and guidelines are uniquely federal, the requirements in this publication have been tailored for nonfederal agencies.” SP.800-171r2, p.3

    [5] Note: Security Assessment is not an SP.800-53r5 control family. It is listed here for reference but is cited only in SP.800-171r2 and SP.800-172

    [6] SP.800-171r2 cites this family as ‘Physical Protection’

    [7] This control family is not included in SP.800-53r5 but is unique to SP.800-172. Reference only.

    This page titled 2.3: Methodology is shared under a CC BY-NC 4.0 license and was authored, remixed, and/or curated by Thomas P. Dover.

    • Was this article helpful?