>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PL-11Baseline Tailoring

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Tailor the selected control baseline by applying specified tailoring actions.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B.

Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT, and OMB A-130.

Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.

>Related Controls

PL-10
RA-2
RA-3
RA-9
SA-8

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern baseline tailoring for organizational systems?
  • How does the organization determine when baseline tailoring is appropriate?
  • What is the process for documenting and approving baseline tailoring decisions?
  • Who reviews tailoring decisions to ensure they don't introduce unacceptable risk?
  • What governance exists for re-evaluating tailoring decisions when system or threat environments change?

Technical Implementation:

  • How are baseline tailoring decisions documented and integrated with system security plans?
  • What tools track tailoring decisions and their justifications?
  • How are tailored baselines technically implemented in configuration management?

Evidence & Documentation:

  • Provide documentation of baseline tailoring decisions and justifications.
  • Provide evidence of tailoring review and approval by authorizing officials.
  • Provide records of tailoring impact analysis on security posture.
  • Provide documentation of compensating controls for tailored requirements.

Ask AI

Configure your API key to use AI features.