ORGANIZATIONALLY-TAILORED CONTROL BASELINES AND CYBERSECURITY FRAMEWORK PROFILES (Optional)
Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles.
Potential Inputs: Documented security and privacy requirements directing the use of organizationally- tailored control baselines; mission or business objectives; enterprise architecture; security architecture; privacy architecture; organization- and system-level risk assessment results; list of common control providers and common controls available for inheritance; NIST Special Publication 800-53B control baselines. 56
Expected Outputs: List of approved or directed organizationally-tailored control baselines; [NIST CSF] Profiles.
Primary Responsibility: Mission or Business Owner; Senior Accountable Official for Risk Management or Risk Executive (Function).
Supporting Roles: Chief Information Officer; Authorizing Official or Authorizing Official Designated Representative; Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Discussion: To address the organizational mission or business need for specialized sets of controls to reduce risk, organizationally-tailored control baselines may be developed for organization-wide use.57 An organizationally-tailored baseline provides a fully specified set of controls, control enhancements, and supplemental guidance derived from established control baselines described in [SP 800-53B]. The tailoring process can also be guided and informed by the requirements engineering process described in [SP 800- 160 v1]. Organizations can use the tailored control baseline concept when there is divergence from the specific assumptions used to create the initial control baselines in [SP 800-53B]. This would include, for example, situations when the organization has specific security or privacy risks, has specific mission or business needs, or plans to operate in environments that are not addressed in the initial baselines.
Organizationally-tailored baselines and overlays complement the NIST control baselines by providing an opportunity to add or eliminate controls to accommodate organizational requirements while continuing to protect information commensurate with risk. Organizations can use tailored baselines and overlays to customize control baselines by describing control applicability and by providing interpretations for specific technologies; types of missions or business functions, operations, systems, environments of operation, and operating modes; and statutory or regulatory requirements. Multiple customized baselines may be useful for organizations with heterogeneous systems (e.g., organizations that maintain systems with different operating or processing characteristics, or mission or business characteristics).
Organizationally-tailored baselines can establish organization-defined control parameter values for assignment or selection statements in controls and control enhancements that are agreeable to specific communities of interest and can also extend the supplemental guidance where necessary. Tailored baselines may be more stringent or less stringent than the baselines identified in [SP 800-53B] and are applied to multiple systems.
Tailored baselines developed outside the organization may also be mandated for use by certain laws, executive orders, directives, regulations, policies, or standards. In some situations, tailoring actions may be restricted or limited by the developer of the tailored baseline or by the issuing authority for the tailored baseline. Tailored baselines (or overlays) have been developed by communities of interest for cloud and shared systems, services, and applications; industrial control systems; privacy; national security systems; weapons and space-based systems; high value assets;58 mobile device management; federal public key infrastructure; and privacy risks.
Organizations may also benefit from developing one or more Cybersecurity Framework Profiles. A Cybersecurity Framework Profile uses the Subcategories in the Framework Core to align cybersecurity outcomes with mission or business requirements, risk tolerance, and resources of the organization.59 The prioritized list of cybersecurity outcomes developed at the organization and mission/business process levels can be helpful in facilitating consistent, risk-based decisions at the system level. The Subcategories identified in the applicable Cybersecurity Framework Profiles can also be used to guide and inform the development of the tailored control baselines described above.
References: [SP 800-53]; [SP 800-53B]; [SP 800-160 v1] (Business or Mission Analysis and Stakeholder Needs and Requirements Definition Processes); [NIST CSF] (Core, Profiles).
56 NIST Special Publication 800-53 (Revision 5), separates the control catalog from the control baselines that have been included historically in that publication. A new companion publication, NIST Special Publication 800-53B, Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations defines the recommended baselines. NIST Special Publication 800-53B is referenced throughout the RMF in the relevant tasks.
57 Tailored control baselines may also be referred to as overlays. An organizationally-tailored control baseline is analogous to an organization-wide overlay since an overlay is a tailored baseline that services a community of interest, in this case, the organization.
58 See [OMB M-19-03].
59 See [NIST CSF], Section 2.3. ***