CONTROL TAILORING
TASK S-2
Tailor the controls selected for the system and the environment of operation.
Potential Inputs: Initial control baselines; organization- and system-level risk assessment results; system element information; system component inventory; list of security and privacy requirements allocated to the system, system elements, and environment of operation; business impact analysis or criticality analysis; risk management strategy; organizational security and privacy policies; federal or organization- approved or mandated overlays.
Expected Outputs: List of tailored controls for the system and environment of operation (i.e., tailored control baselines).
Primary Responsibility: System Owner; Common Control Provider.
Supporting Roles: Authorizing Official or Authorizing Official Designated Representative; Information Owner or Steward; Systems Security Engineer; Privacy Engineer; System Security Officer; System Privacy Officer.
System Development Life Cycle Phase: New – Development/Acquisition. Existing – Operations/Maintenance.
Discussion: After selecting the applicable control baselines, organizations tailor the controls based on various factors (e.g., missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance). The tailoring process includes identifying and designating common controls in the control baselines (see Task P-5); applying scoping considerations to the remaining baseline controls; selecting compensating controls, if needed; assigning values to organization-defined control parameters using either assignment or selection statements; supplementing baselines with additional controls; and providing specification information for control implementation.77 Organizations determine the amount of detail to include in justifications or supporting rationale required for tailoring decisions. For example, the justification or supporting rationale for scoping decisions related to a high- impact system or high value asset78 may necessitate greater specificity than similar decisions for a low- impact system. Such determinations are consistent with the organization’s missions and business functions; stakeholder needs; and any relevant laws, executive orders, regulations, directives, or policies. Controls related to the SDLC and SCRM provide the basis for determining whether an information system is fit-for-purpose79 and need to be tailored accordingly.
Organizations use risk assessments to inform and guide the tailoring process. Threat information from security risk assessments provides information on adversary capabilities, intent, and targeting that may affect organizational decisions regarding the selection of security controls, including the associated costs and benefits. Privacy risk assessments, including the contextual factors therein, will also influence tailoring when an information system processes PII.80 Risk assessment results are also leveraged when identifying common controls to determine if the controls available for inheritance meet the security and privacy requirements for the system and its environment of operation. When common controls provided by the organization do not provide adequate protection for the systems inheriting the controls, system owners can either supplement the common controls with system-specific or hybrid controls to achieve the required level of protection or recommend a greater acceptance of risk to the authorizing official. Organizations may also consider federally or organizationally directed or approved overlays, tailored baselines, or Cybersecurity Framework Profiles when tailoring controls (see Task P-4).
References: [FIPS 199]; [FIPS 200]; [SP 800-30]; [SP 800-53]; [SP 800-53B]; [SP 800-160 v1] (System Requirements Definition, Architecture Definition, and Design Definition Processes); [SP 800-161] (Respond and Chapter 3); [IR 8179]; [CNSSI 1253]; [NIST CSF] (Core [Identify, Protect, Detect, Respond, Recover Functions]; Profiles).
77 The tailoring process is fully described in [SP 800-53B].
78 For more information on high value assets, see [OMB M-19-03] and [OCIO HVA].
79 [ISO 15288] describes fit-for-purpose as an outcome from the validation process in the SDLC that demonstrates, through assessment of the services presented to the stakeholders, that the “right” system has been created and satisfies the customer need.
80 [IR 8062] provides a discussion of context and its function in a privacy risk model.