In NIST 800-53, control baselines provide a starting point for organizations in the security and privacy control selection process. Since there is only one privacy control baseline and it generally applies to systems that process personally identifiable information (PII), it is relatively easy to determine if that baseline is right for your organization.
Selecting a security control baseline is more challenging since there are three which correspond to the three system impact levels defined by FIPS Publication 199. This requires you to categorize the information system into an impact level according to the potential adverse impact on the confidentiality, integrity, and availability of information systems and information.
Before we dive into the categorization process, we’ll take a closer look at the three security control baselines of NIST 800-53 below.
NIST 800-53 Low
NIST 800-53 Low
If the potential impact of a security breach on the system is limited or minor, then the Low baseline applies. Since it’s intended for systems with the lowest risk levels, Low is the least stringent baseline with the fewest controls.
In total, it prescribes 149 controls (including base controls and control enhancements).
This baseline focuses on foundational controls that provide essential security measures, such as:
- Basic access control policy and account management controls.
- Administrative safeguards like security awareness training and incident response planning.
- Foundational identification and authentication measures such as multi-factor authentication.
While the Low baseline is the least stringent, it ensures adequate security for less critical systems.
NIST 800-53 Moderate
The Moderate baseline is suitable for systems where a security breach could have a serious impact on organizations, individuals, or the Nation but not severe or catastrophic. So, for example, the organization may still be able to perform its primary functions but not as effectively due to a breach.
Since it’s intended for systems with higher risk levels than the Low baseline, the Moderate baselines prescribes an additional 138 controls (including base controls and control enhancements), reaching a total of 287.
The Moderate baseline includes but is not limited to:
- Enhanced access control measures, including employing the principles of least privilege and separation of duties.
- Comprehensive configuration management controls, including having a documented configuration management plan.
- Robust system and communications protection measures like using cryptographic mechanisms to protect information at rest.
This baseline is widely used across the defense tech industry as well as other industries, as it provides robust protection without the overhead of High baseline requirements.
NIST 800-53 High
The High baseline is the most stringent, designed for systems with the highest risk levels. These systems process, store, or transmit highly sensitive data and support critical operations, so the potential impact on organizations, individuals, or the Nation should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability) would be severe or catastrophic.
As the most stringent baseline, High prescribes the most controls and control enhancements, with a total of 370. This is 221 more than the Low baseline and 83 more than the Moderate baseline.
This baseline includes robust controls to address the significant risks associated with these systems, such as:
- Penetration testing by an independent third party.
- Robust security controls implemented during the acquisition process of new systems and services, such as requiring developer-provided training on the correct use and operation of a new system.
- Comprehensive system and information integrity capabilities, including automated monitoring and alerts.
Federal agencies managing sensitive government information and highly regulated industries like healthcare and finance may adopt the High baseline to ensure maximum protection.
How to determine your NIST 800-53 security control baseline
A security control baseline should be selected based on the system impact level. Follow the steps below to determine the impact level of your information system and the associated security baseline.
Step 1: Inventory your information system components
First, compile an inventory of
- The types of information transmitted, stored, or processed and the associated information system components categorized according to the level of security risk
- All information system components with necessary tracking information
- All information system components within the authorization boundary depicted in a network architecture diagram
- All data flows between information system components depicted in a data flow diagram
Step 2: Categorize the information system using FIPS 199
Once you’ve compiled this inventory, you can categorize the information system into an impact level according to the potential adverse impact of a security breach on three security outcomes of information systems and information.
According to FIPS 199, these three security outcomes are:
- Confidentiality: The risk of unauthorized disclosure of information.
- Integrity: The risk of unauthorized modification or destruction of information.
- Availability: The risk of disruption of access to or use of information or an information system.
FIPS 199 also defines three levels of potential impact on an organization or individuals should there be a loss of confidentiality, integrity, or availability. These levels are:
- Low: Limited adverse effect, e.g. noticeable operational disruption, minimal financial loss, minor damage to assets, and minor harm to individuals.
- Moderate: Serious adverse effect, e.g. significant operational disruption, financial loss, damage to assets, and harm to individuals.
- High: Severe or catastrophic effect, e.g. major operational failure, financial loss, damage to assets, and harm to individuals involving loss of life or serious life threatening injuries.
The highest impact level assigned to any of the three security objectives determines the overall FIPS 199 security category of the information system.
Here are three examples:
Example 1: Low-impact system
A government agency maintains a public website that provides general information, such as office hours, locations, and FAQs. No sensitive or personally identifiable information (PII) is stored on the system.
| Security Objective | Impact Level | Reasoning |
|---|---|---|
| Confidentiality | Not applicable | The website only contains publicly available data, so there is no risk of unauthorized disclosure. |
| Integrity | Low | Minor modifications to content (e.g., incorrect office hours) would not significantly impact operations. |
| Availability | Low | Temporary unavailability of the website would not seriously affect agency functions. | Overall Categorization | Low | Since the highest impact level among all three objectives is Low, the system impact level is Low. |
Example 2: Moderate-impact system
A government agency uses an internal financial management system to process and store budgeting, procurement, and payroll data. While the data is sensitive, its exposure would not pose a catastrophic risk.
| Security Objective | Impact Level | Reasoning |
|---|---|---|
| Confidentiality | Moderate | Unauthorized disclosure of financial records could harm the agency’s credibility and lead to financial fraud. |
| Integrity | Moderate | Alteration of financial transactions could result in incorrect reporting and compliance issues. |
| Availability | Low | Temporary system downtime would be disruptive but not significant, as operations could continue with backups. | Overall Categorization | Moderate | Since the highest impact level among all three objectives is Moderate, the system impact level is Moderate. |
Example 3: High-impact system
A classified military command system is used for real-time battlefield intelligence and mission coordination. Unauthorized access, data manipulation, or system failure could have severe consequences for national security.
| Security Objective | Impact Level | Reasoning |
|---|---|---|
| Confidentiality | High | Unauthorized access to classified intelligence could compromise national security. |
| Integrity | High | Tampering with mission data could lead to operational failure and loss of life. |
| Availability | Moderate | System downtime could disrupt military operations, causing significant strategic disadvantages. | Overall Categorization | High | Since the highest impact level among all three objectives is High, the system impact level is High. |
Step 3: Select the corresponding NIST 800-53 baseline
From there, you can select the associated security control baseline. Each baseline provides a minimum set of security controls tailored to the system impact level.
The table below outlines the relationships between impact levels and control baselines.
| The maximum potential adverse impact on any of the three security outcomes | FIPS 199 impact levels | NIST 800-53 security control baselines |
|---|---|---|
| Limited | Low-impact | Low |
| Serious | Medium-impact | Medium |
| Severe | High-impact | High |
FAQs
What is FIPS 199, and how does it relate to NIST 800-53?
FIPS 199 (Federal Information Processing Standard 199) is a framework used to categorize federal information systems based on their potential impact on confidentiality, integrity, and availability. This categorization determines which NIST 800-53 security control baseline (Low, Moderate, or High) should be applied.
How do I determine my system’s security impact level?
You assess the potential consequences of a security breach for each security outcome (confidentiality, integrity, and availability), then assign each one an impact level:
- Low: Minimal adverse effect
- Moderate: Serious adverse effect
- High: Severe or catastrophic effect
The highest rating among these three determines the system’s overall security impact level and corresponding NIST 800-53 baseline.
What happens if my system falls between two impact levels?
If different security objectives (confidentiality, integrity, availability) have different impact levels, the highest rating determines the overall impact level and the corresponding NIST 800-53 baseline. For example, if an organization determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate, then the resulting security category of the information system is High.
What types of systems are the three NIST 800-53 security control baselines designed for?
The security control baselines are designed for the following systems:
- Low Baseline: For systems with minimal security risks (e.g., public websites).
- Moderate Baseline: For systems handling sensitive but non-critical data (e.g., financial systems).
- High Baseline: For mission-critical systems with severe security consequences (e.g., military command systems).
Can I modify the NIST 800-53 baseline controls?
Yes, organizations can and should tailor their security control baseline by performing activities such as:
- Removing non-applicable controls
- Enhancing controls based on risk assessments
- Adding extra controls to meet specific regulatory or business needs
