The advent of overlays and broken out controls.
It may seem counterintuitive – to simplify an already onerous number of information assurance (IA) controls by increasing that number by some 40%. But that’s what happened when compliance experts from a variety of three-letter agencies came together to create the “broken-out control set.” By functionally decomposing the NIST SP 800-53 rev 4 controls, the 927 original controls became over 1,300.
The result? A package of IA controls that are more inheritable, easier to understand, and more applicable to specific elements of a given system.
That broken-out control set, or 800-53 Extended, creates more one-for-one comparisons between the controls required of the provider and receiver, for example, between a cloud service provider and customer. More specific individual controls are more easily and directly mapped, and thus more easily and directly inherited.
Compliance overlays for specific types of systems
Another way to simplify controls compliance is to layer a group of controls created for a specific type of system over a broadly applicable, or baseline, set of controls. Telos worked with the Intelligence Community (IC) to develop and support these overlays for systems such as those containing intelligence data or cross-domain solutions, as well as various unclassified requirements like High Value Assets (HVA) or Privacy. Many of these are available and can be configured or customized for Xacta users.
Value beyond the IC
Although pioneered within the IC using the NIST SP 800-53 controls, these approaches have broad application. The same can be accomplished for FedRAMP and even in commercial environments. NIST controls are widely adopted, and can be mapped to various compliance paradigms. Having a plan to tackle IT risk and compliance activities is critical to success and sometimes you have to take a completely different approach to make things easier and more digestible… even if it results in what initially looks like more work.