Generic filters

NIST Risk Mitigation Framework and Lower-Level Controls

June 7, 2021

Understanding how NIST Risk Mitigation Framework and Lower-Level Controls can keep you on track!

With lower-level technical controls, companies can create secure, resilient environments. However, they need to continuously monitor these controls and update them for a dynamic security posture. Managing security configurations is complex because updating them runs the risk of introducing problems that did not exist within the previous configuration. Understanding how lower-level controls help a company meet the requirements established in the National Institute of Standards and Technology Risk Mitigation Framework (NIST RMF) while maintaining your environment’s operational and technical integrity can mitigate data breach risks and enhance security.

Where do lower-level controls fit into the NIST RMF?

Although the NIST RMF doesn’t specifically discuss lower-level controls, many of the resources cross-referenced in it do. For example, the NIST RMF references NIST Special Publication (SP) 800-53, which establishes the control families, and NIST SP 800-160 outlines the criteria for systems security engineering.

According to NIST SP 800-160, Systems Security Engineering Outcomes should include:

  • Defining the security aspects of the configuration management strategy
  • Identifying and Managing the security aspect of configuration items
  • Including configuration baseline in the security criteria
  • Securely controlling changes to items under configuration management
  • Including security criteria into completed configuration audits
  • Controlling and approving security aspects of system releases and deliveries.

Fundamentally, the way to meet the NIST RMF high-level control requirements is to manage the security configurations and engage in system hardening.

While keeping your organization’s risk tolerance in mind, you need to establish a security baseline to ensure continued system, software, hardware, and firmware integrity as a way to support maintaining confidentiality. Your information and system categorization, risk assessment, and risk tolerance act as the foundation for how you maintain your lower-level control baselines, including the exceptions or waivers that you’re willing to accept.

Managing Lower-Level Technical Controls

NIST refers to lower-level technical controls as “checklists,” and these can include the CIS Benchmarks and Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). Additionally, NIST collects all the checklists in the National Checklist Program Repository. An organization can then tailor existing security controls to meet individual operational requirements by utilizing these validated configurations.

Create baseline configurations

Establishing baseline configurations can harden systems and enhance security. However, they also pose unique challenges. Systems are fundamentally dynamic, and security changes within any sector can lead previously stable configurations to stop working correctly, leading to operational downtime.

Creating baselines gives you a foundation for hardening your systems. Since updates can cause a system to stop working, baselines act as your “fall back” position. They give you a configuration that you know works. Once you set these baselines, you can save them as a system “rollback.” With a rollback, you understand that any downtimes arising from

As such, maintaining an older baseline configuration allows for a system rollback to revert to the last working state to avoid downtime if troubleshooting a newer configuration becomes necessary.

Do an impact analysis

A security impact analysis identifies critical vulnerabilities, allowing you to respond to and mitigate the impact of the riskiest security flaws. For example, the NIST RMF suggests that changes to systems that might trigger an event-driven review include:

  • Installing new or upgrading operating systems, middleware components, or applications
  • Modifying system ports, protocols, or services
  • Installing a new or upgrading an existing hardware platforms
  • Modifying how to process information, including personally identifiable information (PII)
  • Changing the types of data stored, processed, or transmitted by a system
  • Modifying security and privacy controls

Problematically, system complexity makes continuously monitoring an organization’s environment time-consuming and resource-heavy. Whenever your organization installs or upgrades operating systems, middleware components, applications, or hardware, you need to make risk-based decisions about how to remediate critical security flaws while reducing the potential impact on system functionality and business processes.

Automate remediation

Every time you update configurations, you need to run an impact analysis and prioritize the first’s riskiest control weaknesses. However, “significant changes to systems” can include everything from purchasing a new server to installing a security patch update for an application.

Automating remediation activities gives you a way to mitigate security risks while also reducing operational costs. Additionally, automation ensures system stability over time, reducing downtime because it can incorporate that as part of the process.

SteelCloud: Automated Lower-Level Technical Control Maintenance for NIST RMF Compliance

SteelCloud’s patented ConfigOS technology enables organizations to scan their entire environment in 60 minutes, automates remediation based on control criticality, and gives organizations a way to document their decisions. With ConfigOS, you can reduce the time NIST RMF compliance takes, and the number of employees needed to do the work, making the process more efficient and less costly.













Share This Resource: