As a quick recap, in week one I briefly explored how the Risk Management Framework is linked to security controls and the assessments.  Week two I listed the RMF Steps and explained briefly where assessments take place.  Week three I touched on a security control, NIST 800-53 Rev. 4, SI-3 MALICIOUS CODE PROTECTION.

Each control in NIST 800-53 Rev. 4 contains the following sections:

• control section - The control section prescribes specific security-related activities or actions to be carried out by organizations or by information systems.
• supplemental guidance section - The supplemental guidance section provides non-prescriptive, additional information for a specific security control.
• control enhancements section -The security control enhancements section provides statements of security capability to: add functionality/specificity to a control and/or increase the strength of a control.
• references section - The references section includes a list of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines that are relevant to a particular security control.
• priority and baseline allocation section - The priority and security control baseline allocation section provides: the recommended priority codes used for sequencing decisions during security control implementation and the initial allocation of security controls and control enhancements to the baselines.

Using SI-3 from my last week's example, the following is the second control enhancement or SI-3(2);

(2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES
The information system automatically updates malicious code protection mechanisms.
Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8.

I do not want to go in to more detail here, but rather jump over to NIST 800-53A Rev. 4 which contains the following for SI-3(2);

So each control has an assessment.  Next week, it will be time to go in to detail with the NIST 800-53A Rev. 4 content.