1
1

00:00:00,360  -->  00:00:04,380
<v ->Is a requirement different than a control?</v>
2

2

00:00:04,380  -->  00:00:05,610
If they're not different
3

3

00:00:05,610  -->  00:00:08,373
can we use those words interchangeably?
4

4

00:00:09,210  -->  00:00:12,330
But if a requirement is different than a control
5

5

00:00:12,330  -->  00:00:13,530
how is it different?
6

6

00:00:13,530  -->  00:00:18,530
And does this difference matter when we're working with RMF?
7

7

00:00:18,660  -->  00:00:23,100
You probably already know the words requirement and control
8

8

00:00:23,100  -->  00:00:25,980
are two very overloaded terms.
9

9

00:00:25,980  -->  00:00:28,230
They mean different things to different people
10

10

00:00:28,230  -->  00:00:30,090
depending on the context.
11

11

00:00:30,090  -->  00:00:34,110
And this has caused some confusion for RMF users.
12

12

00:00:34,110  -->  00:00:38,430
So section 2.6 in RMF is where NIST
13

13

00:00:38,430  -->  00:00:41,070
tries to get us all on the same page.
14

14

00:00:41,070  -->  00:00:44,070
The term requirement as used in RMF
15

15

00:00:44,070  -->  00:00:47,460
includes both legal and policy requirements
16

16

00:00:47,460  -->  00:00:49,950
to protect systems and data.
17

17

00:00:49,950  -->  00:00:52,890
In other words, a requirement in RMF
18

18

00:00:52,890  -->  00:00:57,000
means all the protection that a system and its data
19

19

00:00:57,000  -->  00:01:00,120
must have from any source.
20

20

00:01:00,120  -->  00:01:04,740
And by source RMF means laws, executive orders,
21

21

00:01:04,740  -->  00:01:08,790
directives, regulations, organizational policies,
22

22

00:01:08,790  -->  00:01:12,240
standards, mission needs, business needs,
23

23

00:01:12,240  -->  00:01:15,450
or the results of risk assessments.
24

24

00:01:15,450  -->  00:01:17,250
Okay, that's a lot of places
25

25

00:01:17,250  -->  00:01:20,580
where protection requirements can come from.
26

26

00:01:20,580  -->  00:01:24,720
So you can think of the total list of requirements
27

27

00:01:24,720  -->  00:01:27,810
as letting you know what protections a system
28

28

00:01:27,810  -->  00:01:30,000
and its sensitive data will need
29

29

00:01:30,000  -->  00:01:34,560
without getting into how to do any of the work.
30

30

00:01:34,560  -->  00:01:36,570
Now, let's take a look at controls.
31

31

00:01:36,570  -->  00:01:40,410
Controls are the safeguards and protective capabilities
32

32

00:01:40,410  -->  00:01:44,040
that we put into place to meet our cybersecurity
33

33

00:01:44,040  -->  00:01:45,660
and privacy objectives.
34

34

00:01:45,660  -->  00:01:48,120
Controls are how we satisfy
35

35

00:01:48,120  -->  00:01:52,080
the total list of protective requirements.
36

36

00:01:52,080  -->  00:01:55,050
Controls are selected and implemented by the organization
37

37

00:01:55,050  -->  00:01:59,040
and they can be technical, administrative, and physical
38

38

00:01:59,040  -->  00:02:01,170
or any combination of those.
39

39

00:02:01,170  -->  00:02:04,080
In addition, controls can also be sorted into
40

40

00:02:04,080  -->  00:02:09,080
preventative, detective and corrective categories.
41

41

00:02:09,210  -->  00:02:12,990
NIST Special Publication 800-53,
42

42

00:02:12,990  -->  00:02:16,350
which is called Recommended Security Controls
43

43

00:02:16,350  -->  00:02:20,100
for Federal Information Systems and Organizations,
44

44

00:02:20,100  -->  00:02:25,100
contains hundreds of examples of controls of all types.
45

45

00:02:25,140  -->  00:02:28,200
Now, let me give you an example of a requirement
46

46

00:02:28,200  -->  00:02:32,190
along with a control from 800-53.
47

47

00:02:32,190  -->  00:02:35,700
Let's suppose you have a headquarters policy that says,
48

48

00:02:35,700  -->  00:02:38,670
sensitive data on your system must be destroyed
49

49

00:02:38,670  -->  00:02:42,720
after 180 days of initial collection.
50

50

00:02:42,720  -->  00:02:44,820
Okay? That's a requirement.
51

51

00:02:44,820  -->  00:02:48,030
Going into special publication 800-53
52

52

00:02:48,030  -->  00:02:51,870
there's a control that's called Media Sanitization
53

53

00:02:51,870  -->  00:02:56,100
and it has the designation MP-6,
54

54

00:02:56,100  -->  00:03:01,100
and you can find it on page 174 in Revision 5 of 800-53.
55

55

00:03:04,680  -->  00:03:07,500
The control itself can be tailored to your system
56

56

00:03:07,500  -->  00:03:10,500
and it can be enhanced to make the data destruction
57

57

00:03:10,500  -->  00:03:12,930
more thorough and more reliable.
58

58

00:03:12,930  -->  00:03:16,410
For example, in addition to using a robust algorithm
59

59

00:03:16,410  -->  00:03:19,530
to delete data, you could build your control
60

60

00:03:19,530  -->  00:03:22,860
so that two people must observe the data destruction
61

61

00:03:22,860  -->  00:03:27,420
and that they both have to sign and date a pen and ink log
62

62

00:03:27,420  -->  00:03:30,420
every time they destroy data together.
63

63

00:03:30,420  -->  00:03:33,090
Okay, so that's how a requirement is different
64

64

00:03:33,090  -->  00:03:36,780
than a control and why it's a big difference
65

65

00:03:36,780  -->  00:03:39,197
when you're working with RMF.