2.3: Methodology

Last updated
Save as PDF

Page ID: 84940

Thomas P. Dover
Butler County Community College

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

Special Publication 800-171r2 utilizes FIPS-200¹ and SP.800-53r5²as the basis for its recommended Security Requirements. FIPS-200 defines the minimal security requirements for Low, Medium and High-impact information systems as outlined in FIPS-199³. NIST SP.800-53r5 identifies twenty (20) ‘control families’. Control Families are security controls (applied to technology systems) which are operational, technical and management (i.e., administrative) safeguards used to protect the confidentiality, integrity and availability (CIA) of information systems and SP.800-171r2 utilizes a subset of these families. Control Families are groupings of security controls which address a specific security requirement. For example, Access Control deals with the methods, processes and/or procedures by which a user is granted access to a network or system.

SP.800-171r2 (and by association SP.800-172/172A) omits⁴ seven control families contained in SP.800-53r5 that are specific to the federal government. It uses the remaining 13 ‘control families’ but also incorporates a single, unique control family (Security Assessment). Together, these 14 control families form the basis for its one hundred ten (110) security-control requirements.

Table 1 displays SP.800-53r5 control families⁵. Those highlighted in gray/bold have been omitted from SP.800-171r2 security baseline requirements due to their unique ‘federal’ nature. Tailoring requirements in this manner makes application easier and results more accurate when applied to non-government sectors such as healthcare.

Access Control	Physical and Environmental Protection⁶
Assessment, Authorization and Monitoring	PII Processing and Transparency
Audit and Accountability	Planning
Awareness and Training	Program Management
Configuration Management	Risk Assessment
Contingency Planning	System and Services Acquisition
Identification and Authentication	*Security Assessment⁷
Incident Response	System and Communications Protection
Maintenance	System and Information Integrity
Media protection	Supply Chain Risk Management
Personnel Security

Table 1

[1] NIST Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems. Released March, 2006

[2] NIST SP.800-53r5, Security and Privacy Controls for Information Systems and Organizations. Released August 2017. Final draft published March, 2020

[3] NIST Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, NIST. Released February, 2004

[4] ]“…some of the security requirements expressed in the NIST standards and guidelines are uniquely federal, the requirements in this publication have been tailored for nonfederal agencies.” SP.800-171r2, p.3

[5] Note: Security Assessment is not an SP.800-53r5 control family. It is listed here for reference but is cited only in SP.800-171r2 and SP.800-172

[6] SP.800-171r2 cites this family as ‘Physical Protection’

[7] This control family is not included in SP.800-53r5 but is unique to SP.800-172. Reference only.