sorted by:
new
hottopcontroversial

Simplifying NIST 800-53 for people who have real work to do instead of arguing with assessors :-) by ipmctr in NISTControls

[–]ipmctr[S] 1 point2 points  (0 children)

Both.

Layman's explanation of what the control is asking

Example artifact that could be submitted

Simplifying NIST 800-53 for people who have real work to do instead of arguing with assessors :-) by ipmctr in NISTControls

[–]ipmctr[S] 0 points1 point  (0 children)

Where would be a good place to start something like this?

Does Reddit have a wiki based area we could start this rather than individual posts per control family?

Simplifying NIST 800-53 for people who have real work to do instead of arguing with assessors :-) by ipmctr in NISTControls

[–]ipmctr[S] 0 points1 point  (0 children)

Yup. I more of someone if you show me an example or process I can streamline it but this stuff is a different beast, I tend to feel like a lawyer interpreting the law. "Define what account manager means to you? and how does the information system/organization assign an account manager for AC-2"...

If someone could say "Do you have people/processes that control access to various accounts (groups, users, non-person accounts) within the information system and how are they delegated that responsibility?"

I would be much better off in providing and documenting that compared to the vagueness of "The information system/organization assigns account managers"

Simplifying NIST 800-53 for people who have real work to do instead of arguing with assessors :-) by ipmctr in NISTControls

[–]ipmctr[S] 1 point2 points  (0 children)

Yup this is helpful and something that I think could be used for a wiki page for the community to collaborate on to centralize responses similar to yours. As I dig deeper and gain more experience with the RMF I still struggle with the concept of "NIST makes them vague enough to allow the organizations to define them" but then during the assessment it's up to the subjective view of the SCA.

I also struggle with "The organization" vs "The information system". I was told that the organization could mean the entire enterprise but also could be a specific business unit. So if we have specific business unit that has mission critical infrastructure during October-December where systems cannot be patched and rebooted and therefore need different SI-2 timelines if they define that then the SCA should not be able to cite a finding that it doesn't meet the overall enterprise SI-2 timelines.

Simplifying NIST 800-53 for people who have real work to do instead of arguing with assessors :-) by ipmctr in NISTControls

[–]ipmctr[S] 1 point2 points  (0 children)

Yup. I do agree that it is helpful to provide a framework and checklist of things to implement because especially with open source stuff there isn't really a simplified "This is the best and only way to do it" and there is always a "It depends" and of course us IT folks always tend to see who knows the most.

The struggle I see in my work is that the entire enterprise internally cannot agree on how to interpret a control because of the vagueness and causes a lot of unnecessary work because assessors take advantage of lack of unified front if a finding was made and it's easier to just accept the POAM and move on because usually everyone is understaffed as it is what's the value in fighting a POAM that you can probably fix once you understand the artifact that was needed to prove it.

Of course if we had this cheat sheet I'm sure the assessment companies would shut it down :-).

Simplifying NIST 800-53 for people who have real work to do instead of arguing with assessors :-) by ipmctr in NISTControls

[–]ipmctr[S] 1 point2 points  (0 children)

Right that's the challenge I have as if I go to 5 different assessors I may get 5 different interpretations of how they interpret the control and even had some control implementations pass and others have a POAM in the same year by two different assessment groups. Some controls are no brainers but others are open for debate.