Agencies have cybersecurity control flexibility, reminds DHS
Security controls listed in National Institute of Standards and Technology Special Publication 800-53 are not absolutely mandatory, especially not to the point where they would interfere with business operations, the Homeland Security Department's National Cyber Security Division reminds federal agencies.
In fiscal 2012 guidance (.pdf) to auditors (who must annually assess agency cybersecurity efforts under the Federal Information Security Management Act), the division notes that the NIST special publication itself states that "there is flexibility in how agencies apply the guidance."
Under FISMA, agencies perform risk assessments and chose controls listed in SP 800-53 to apply a commensurate level of security.
However, there will be circumstances when it is not appropriate to apply every single control from a baseline risk (low, moderate or high) assessment, the division adds. As an example, it takes the control of a session lock coupled with a screen saver that kicks in after a certain period of user inactivity on a computer.
That control "probably should not be used on computers in certain real-time control systems," the division notes, since it could disrupt the mission--citing air traffic control as an instance of when "it may not be advisable in this situation to use a screen saver."
Agencies can even not pursue the recommended controls in SP 800-53 if alternative controls are more cost-effective and achieve adequate security, the division adds--and so long as agencies document a risk-based justification for going with alternate controls.
"There is considerable flexibility in the application (including choosing not to implement controls from relevant baselines) as long as it is done in a documented risk-based manner," it adds.
- download the fiscal 2012 National Cyber Security Division inspector general FISMA reporting metrics document (.pdf)