I’ve been thinking about SP 800-53 lately because almost all of our efforts in the information assurance world lately are revolving around a catalog of controls concept.

Advantages that you get with a catalog of controls:

• Standardization (Important when you’re dealing with auditors)
• A minimum level of due dilligence “across the board”
• Each control can have an objective/intent, implementation guidelines, and test cases to validate effectiveness
• Easy to score (my cynical readers can retort with “auditor checklist” any time now)
• Applicable to a workforce with varying degrees of training and ability (ie, you don’t all have to have PHDs in IA)

And the dark underbelly of a catalog of controls:

• People just do the bare minimum because that’s all they get credit for
• Controls still need to be tailored by highly-educated people
• Enforces a “one size fits all” mentality which doesn’t work in the real world
• Your security is not streamlined because you’re doing extra where you don’t need it and not enough where you do need it

If you had to recreate your own catalog of controls for internal and external use, how would you go about it?  Well, this is the approach that NIST used to make 800-53:

• Collect all the control requirements from the various applicable laws (FISMA, Privacy Act, etc)
• Collect all the control requirements from other applicable standards, policies, and procedures (PPD-63, OMB Memoranda)
• Collect best practices from vendors and experienced security managers
• Consider the control requirements from comparable control catalogs (27001, PCI, A-123, etc)
• Lump all the requirements together and take the high-water mark
• Add some housekeeping controls that have been implied to bridge the current-state with the desired-state (document your security controls, perform a formal risk assessment, etc)

So far, this all makes sense and is exactly how most of us would do it, right?  NIST even did us a HUGE favor and gave us a traceability matrix in the back of the book to show us where each control requirement came from.

Except for one thing:  this is a compliance-based model, and I’ve just described how to build your own compliance framework.  No, that wasn’t my intent to prove, I realized it as I recreated the process.

We live in a risk management world where what I really need to provide effective and adequate security is a control framework based on threat, risk, and countermeasure.  A catalog of controls does the first 2 for me, and what I end up with as the security practitioner downstream is just the list of countermeasures detatched from what we’re really trying to accomplish–the intent.

So there are 2 approaches that NIST took to minimize some of the negatives of the catalog of controls approach.  The first one is that they allow you to catagorize your system (FIPS-199) and pick a level of controls.  It’s not perfect by any means, but it does that first part of tailoring the controls into large, xtra-large, and jumbonormous-sized buckets so you can choose your own level of involvement.  Sadly, though, most often this process involves the managerial equivalent of throwing darts at a dartboard with H, M, and L written on it.  Yes, it’s easy, but the best thing you can do for security in the government is to pick the right size of security helping that you’re going to eat.

The second thing that NIST gives you is the ability to tailor your controls.  If you’re not doing business impact assessments for where you undershoot and overshoot the untailored 800-53 controls, you’re doing yourself a great injustice.

However, just like the compliance-driven model that it supports, a catalog of controls is only a 75% solution.  The geek in me cringes that we would be using a rock chisel for rocket surgery, but in effect that’s what we’ve done so far as an industry.  And yes, 75% is better than 0%, but it’s still 25% short of perfection.

Will our catalog of controls be around in 5 years?  I don’t know.  There might be other ways to do what we want to do, and I’m sure a couple bright and not-so-bright people would step forward with their opinions if you asked them.  I for one would like to see 2 control catalogs:  one based on the minimum level of compliance where you do not have an option to deviate (and kept very small), and a second catalog that breaks down into threat-risk-countermeasure tuples so that I can exclude controls based on the fact that the threat and subsequent risk does not exist.

After all, that’s the point of tailoring security controls:  to answer the age-old question “How much is enough?”

• Blow-By-Blow Commentary
• An Open Letter to NIST About SP 800-30
• Opportunity Costs and the 20 Critical Security Controls
• What the Government Looks for in a Product
• Special Publication 800-53 Revision 3 Workshop