Analysis: NIST Risk Management Framework 800-53A Parameters and Standardization

Sources

• Organization: National Institute of Technology (NIST)
• Data Source: SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations

I've been spending more time staring at and thinking about the NIST 800-53A (r5) Organization-Defined Parameters (ODP). Once completed, the parameters help organizations to create standards at the Security Program and System levels. It's typically beneficial to define as many parameters as possible at the Program level to promote standardization throughout the organization. 

An organization's risk tolerance should be understood to ensure these parameters create a balance of confidentiality, integrity, and availability of information that is agreeable to all the communities of interest. If organizations are following the NIST 800-37 Risk Management Framework steps then their risk management strategy and risk tolerance should already be understood.

The pie chart below displays the ratio of ODP assessment objectives to pre-defined assessment objectives. Here are some summary control baseline percentages:

• LOW = 29.5%
• MODERATE = 30.9%
• HIGH = 32.3% 
• Program-Level = 12.1%

You can read my first ODP-related post here.