Analysis: NIST Risk Management Framework 800-53A Organization-Defined Parameters

One of the updates to the NIST 800-53A (r5) is the improved isolation of the Organization-Defined Parameters (ODP). ODPs, are essentially fill in the blank areas that allow organizations to customize security controls to their security programs risk posture. 

NIST's definition...

Organization-Defined Parameter - The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement. 

ODPs include:

  • Assignment Operations - where the organization defines a value (e.g., frequency, circumstances, personnel, or roles)
  • Selection Operations - where the organization selects one or more of the options provided in the ODP
The NIST format for ODPs provides a code/variable format that will enable organizations to integrate ODPs into OSCAL...policy as code. It's important for the Chief Information Security Officer to define as many ODPs at the Security Program level as possible. This will help to standardize their Program and all the systems within it.

The stacked bar chart below provides ODP counts by security control family and baselines. Here's some summary baseline ODP counts:
  • LOW = 405
  • MODERATE = 584
  • HIGH = 699
  • Program-Level = 35
I realize the stacked bar chart is a slightly awkward chart type to display this data, but I did so to save some horizontal space. The ODP count represents a subset count of the orange Assessment Objective count (ex. AC = 230 ODPs reside within 537 Assessment Objectives)

Link to corresponding table chart - here.