NIST 800-53 and classes of controls...

cledford3cledford3 MemberMember Posts: 66 ■■■□□□□□□□
Most CISSP study materials break controls into three categories - physical, technical, and administrative. In reviewing NIST 800-53, there are slightly different categories used - management, operational, and technical.

Is there a direct mapping of the general categories to the NIST? Technical is in both. NIST management looks like it may map to the general class of administrative, leaving operational to physical?

Thanks for any input. In early reading it looked as if much CISSP content was derived from NIST documents. Recently I decided to straight to the source and read the NIST publications and 800-53 was my starting point. This was a little unexpected curve ball...



  • soccarplayer29soccarplayer29 Senior Member Member Posts: 230 ■■■□□□□□□□
    NIST SP 800-53 Rev. 4, Appendix F, Page F-3:

    "Because many security controls within the security control families in Appendix F have variouscombinations of management, operational, and technical properties, the specific class designationshave been removed from the security control families. Organizations may still find it useful toapply such designations to individual security controls and control enhancements or to individualsections within a particular control/enhancement. Organizations may find it beneficial to employclass designations as a way to group or refer to security controls. The class designations may alsohelp organizations with the process of allocating security controls and control enhancements to: (i)responsible parties or information systems (e.g., as common or hybrid controls); (ii) specific roles;and/or (iii) specific components of a system. For example, organizations may determine that theresponsibility for system-specific controls they have placed in the management class belong to theinformation system owner, controls placed in the operational class belong to the InformationSystem Security Officer (ISSO), and controls placed in the technical class belong to one or moresystem administrators. This example is provided to illustrate the potential usefulness of designatingclasses for controls and/or control enhancements; it is not meant to suggest or require additionaltasks for organizations."

    NIST SP 800-53 Rev. 3 (and prior revisions) used those classifications of management, operational, technical but removed those in NIST SP 800-53 Rev. 4.

    My interpretive mapping of the CISSP categories to the NIST controls would be as follows:
    • Physical-> NIST Control Families: MA, MP, PE
    • Technical-> NIST control families: AC, AU, CM, CP, IA, RA, SA, SC, SI
    • Administrative-> NIST control families: AC-1, AT-1, AU-1, etc., AT, CA, CP, IR, PL, PS
    There will be overlap and some controls within each family with span various categorizes but at a high level my breakdown is a good starting point.
    Certs: CISSP, CISA, PMP
  • cledford3cledford3 Member Member Posts: 66 ■■■□□□□□□□
    Wow - awesome response, thank you!
  • TechGuru80TechGuru80 Senior Member Member Posts: 1,539 ■■■■■■□□□□
    You aren’t trying to memorize NIST 800 for the CISSP exam are you? The framework is excellent to shape a security program but you don’t have to be an expert for the exam...just at a high level...after all the CAP exam is nothing but NIST 800.
  • talbert80talbert80 Junior Member Member Posts: 29 ■■■□□□□□□□
    Mile wide and an inch deep. You may need to know the NIST Special Publication number by category (e.g., business continuity planning) and process/ tools but not every single detail. The control families and which control type might not be on the CISSP. It is on the CAP, as the risk management framework relies heavily on data classification and control implementation.
Sign In or Register to comment.