Analysis: NIST Risk Management Framework 800-53A Organization-Defined Parameters
- Organization: National Institute of Technology (NIST)
- Data Source: SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations
Organization-Defined Parameter - The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement.
- Assignment Operations - where the organization defines a value (e.g., frequency, circumstances, personnel, or roles)
- Selection Operations - where the organization selects one or more of the options provided in the ODP
The NIST format for ODPs provides a code/variable format that will enable organizations to integrate ODPs into OSCAL...policy as code. It's important for the Chief Information Security Officer to define as many ODPs at the Security Program level as possible. This will help to standardize their Program and all the systems within it.
The stacked bar chart below provides ODP counts by security control family and baselines. Here's some summary baseline ODP counts:
- LOW = 405
- MODERATE = 584
- HIGH = 699
- Program-Level = 35
I realize the stacked bar chart is a slightly awkward chart type to display this data, but I did so to save some horizontal space. The ODP count represents a subset count of the orange Assessment Objective count (ex. AC = 230 ODPs reside within 537 Assessment Objectives)