Multiple NIST standards allow for tailoring, i.e., changing the effects or prescriptive nature of a control based on a risk assessment of the specific vertical or other factors. NIST’s secure baseline standard (SP 800-128) explicitly calls out the use of risk assessments
to tailor baselines and configuration monitoring. This piece details how to modify secure baseline configurations to account for risk and improve efficiency.
Baseline Standards Aren’t Flexible
Across the entire world of information security, baselines are a fundamental concept. We use baselines for network traffic, social media engagement, configurations, plug-ins, downloaded software and everything else.
Most standards say organizations should create a secure baseline standard, and then use that to configure new machines and ensure old configurations remain secure.
However, most standards have limited flexibility and modernity. How can security organizations be efficient, effective and maximize the productive use of resources and budget, while still maintaining compliance with inflexible standards?
NIST Tailoring Control Guidelines
As per NIST, tailoring of controls and control implementations is allowed. For example, in NIST 800-53 Rev. 5’s PL-11: Baseline Tailoring, the standard
states:
The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop
security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact
their mission or business success. Tailoring guidance is provided in SP 800-53B. Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning
values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based
on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA and PRIVACT. Alternatively, other communities of interest adopting different control
baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.
Which systems and applications should be deployed with a secure baseline configuration? According to NIST 800-128, Section 3.2.2:
In the ideal environment, all IT products within an organization would be configured to the most secure state that still provided the functionality required by the organization.
However, due to limited resources and other constraints, many organizations may find it necessary to prioritize which information systems, IT products, or [configuration items] to target first for secure configuration as they implement [secure configuration
management].
Can we tailor controls and control implementations to individual entities or classes of entities? According to NIST 800-128, Appendix F, Best Practice 3:
Secure configuration settings are tailored to the system component’s function. For example, a server acting as a Windows domain controller may require stricter auditing requirements (e.g., auditing successful and unsuccessful account logons) than
a file server. A public access Web server in a DMZ may require that fewer services are running than in a Web server behind an organization’s firewall supporting an intranet.
But how do we determine what the appropriate configuration is, and how do we measure which deviations are acceptable? According to NIST SP 800-53B, Section 2.4.
Organizations use risk management guidance to facilitate risk-based decision making regarding the applicability of the controls in the baselines. Ultimately, organizations employ the tailoring process to achieve cost-effective solutions
that support organizational mission and business needs and provide security and privacy protections commensurate with risk. Organizations have the flexibility to tailor at the organization level for systems in support of a line of business or a mission
or business process, at the individual system level, or by using a combination of the two. However, organizations do not arbitrarily remove security and privacy controls from baselines. Tailoring decisions are expected to be defensible based on mission
and business needs, a sound rationale, and explicit risk-based determinations.
Risk-Based Assessment Steps
Effectively, you must perform a risk-based assessment of the item, entity, system, application or device. As long as the assessments are defensible and consistent, the tailoring should be acceptable to regulatory authorities, internal audit, etc.
From a step-by-step perspective:
- Assess the data classification of any data involved
- Determine the actions the entity being configured must perform on the data
- Read
- Add
- Modify
- Delete
- Read-only
- Etc.
- Perform a risk assessment of each action type combined with the data classification, and then determine what levels of monitoring, alerting, etc., must be performed for each level.
- Once that matrix is generated, an appropriate tailoring of the baseline control for that system or application can be created.
Figure 1 shows a sample matrix, but you should generate one using your organization’s baselines, actions and data classification levels.
Avoid Data Overclassification
Many groups and people attempt to overclassify their data. This is done for a variety of reasons—from a need to inflate importance to an overabundance of caution. However, the time and money spent dealing with overclassified data and processes is
immeasurably large. To avoid this, be detailed and carefully document every classification decision when determining which actions each entity can take and what set of controls to put on each level of data.
How to Risk-Tailor a Secure Baseline Configuration
Most standards allow for the tailoring of configuration baselines to account for risk. To ensure you tailor your baselines in a secure, defensible fashion:
- Build a policy: Ensure you build a repeatable process for tailoring controls and configurations.
- Use standardized metrics: Create a potential action list and data classification levels and map your security controls to those levels.
- Build a risk matrix: This will streamline your risk assessment process.
- Stay out of the weeds: Try to keep groups from overclassifying their data.
- Document, document, document: Defending a decision to an external regulatory auditor or an internal IT security auditor is infinitely easier if the documentation is proper and complete.
Ready for NIST CSF 2.0? Attend our Webinar
With the announcement of the new NIST Cybersecurity Framework (CSF) 2.0, organizations need to revisit how they use the framework to connect with the business. Version 2.0 has expanded beyond the original framework’s five functions and added a sixth,
govern.
Join our upcoming webinar: What’s New in NIST Cybersecurity Framework 2.0 where IANS Faculty member Summer Fowler will provide an overview
of the new framework functions, how to manage the transition and adoption guidance. Gain practical, real-world recommendations to help you understand the framework and communicate changes to leadership. Register today!
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.