TAILORING CRITERIA
Listing of moderate security control baseline and tailoring actions
This appendix from 800-171 (Appendix E) provides a complete listing of the security controls in the NIST Special Publication 800-53 moderate baseline, one of the sources along with FIPS Publication 200, for the final CUI security requirements described in 800-171, Chapter Three.
800-171, Tables E-1 through E-17 contain the tailoring actions (by family) that have been carried out on the security controls in the moderate baseline in accordance with the tailoring criteria established by NIST and NARA. The tailoring actions facilitated the development of the CUI derived security requirements which supplement the basic security requirements obtained from the security requirements in FIPS Publication 200.
There are three primary criteria for eliminating a security control or control enhancement from the moderate baseline including —
TAILORING SYMBOL |
TAILORING CRITERIA |
CUI |
Basic or derived security requirement is reflected in and is traceable to the security control, control enhancement, or specific elements of the control/enhancement. |
FED |
The control or control enhancement is uniquely federal (FED) (i.e., primarily the responsibility of the federal government); |
NCO |
The control or control enhancement is not directly related to protecting the confidentiality of CUI; or |
NFO |
The control or control enhancement is expected to be routinely satisfied by nonfederal organizations without specification. |