NIST it by that much redux.

Steve Lau and my talk at Internet2, NIST It By That Much, is looking more perceptive by the day. The Department of Energy Office of the CIO has released hundreds of page of new draft policy which, in my opinion, misunderstands NIST in precisely the way we described: it fails to recognize that the NIST documents create a baseline of controls from which you as the system owner are supposed to tailor your set of controls, NIST 800-53 is a baseline, not a set of minimum security standards for all systems.

The critical step in the NIST C&A process is "Tailoring the Baseline". This is where NIST moves from a set of well founded but ultimately arbitrary checklists, to something of value. When you tailor the baseline you start with the prescribed NIST baseline, then use scoping guidance, compensating controls, and parameterization to created an initial tailored baseline. These three activities allow you to customize the set of controls for your environment. With that tailored baseline in mind, you assess the remaining residual risk. If that risk is unacceptable, you go back to tailoring the baseline again.

The new DOE CIO Policies attempt to turn 800-53 into a set of Minimum Security Standards across the Department of Energy. The problem is that 800-53 is not a set of Minimum Standards, it's a catalog of controls from which you adopt the ones that are right for your system and its level of risk. Unfortunately, the concept of a tailored baseline doesn't exist in these new documents.

More on tailoring: