Domain 3 of 8 · Chapter 3 of 10

Controls Selection

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • What "select controls based on requirements" means
  • Baselines, tailoring, and overlays (NIST RMF)
  • Common Criteria: TOE, PP, ST, and the EAL scale
  • Certification vs. accreditation, and the modern A&A / ATO
  • Exam-pattern recognition

Two requirement-to-assurance frameworks the exam contrasts

AspectCommon Criteria (ISO/IEC 15408)NIST RMF baseline selection (SP 800-53B / 800-37)
What it producesAn Evaluation Assurance Level (EAL1-EAL7) for a productA tailored control set plus an Authorization to Operate for a system
Unit of evaluationA product, the Target of Evaluation (TOE)An information system in its operating environment
Requirements statementProtection Profile (the class need) and Security Target (the product's claim)FIPS 199 impact categorization plus the selected baseline
Who decidesAn accredited independent evaluation lab and certification bodyThe authorizing official accepts residual risk and signs the ATO
What the rating meansHow rigorously the product was examined, within the ST's assumptionsWhich controls apply and that residual risk is formally accepted

Cheat sheet

  • Control selection is requirements-driven: categorize impact, then choose a baseline
  • Pick the SP 800-53B baseline that matches the system's impact level
  • FIPS 199 impact is the high-water mark across C, I, and A
  • A baseline is a starting point; tailoring produces the system's real control set
  • An overlay is reusable tailoring shared across a community of interest
  • The privacy baseline applies regardless of impact level
  • Common Criteria (ISO/IEC 15408) evaluates a product, the TOE
  • Protection Profile states class requirements; Security Target states the product's claim
  • An EAL rates evaluation rigor, not how secure the product is
  • Know the EAL scale: EAL4 is the common commercial and mutual-recognition cap
  • Certification is the assessment; accreditation is the decision to accept the risk
  • The authorizing official owns risk acceptance, not the assessor
  • Modern RMF renames C&A to Assessment and Authorization, output is an ATO
  • RMF has seven steps; Select and Authorize are where control selection lives
  • Tie a product's EAL to its requirements, not to an absolute security score

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST SP 800-53B, Control Baselines for Information Systems and Organizations Whitepaper
  2. NIST Risk Management Framework (RMF) overview: the seven steps Whitepaper
  3. NIST glossary: Target of Evaluation (TOE) Whitepaper
  4. NIST glossary: Protection Profile Whitepaper
  5. NIST glossary: Security Target Whitepaper
  6. NIST glossary: Evaluation Assurance Level (EAL) Whitepaper
  7. NIST glossary: certification Whitepaper
  8. NIST glossary: accreditation Whitepaper
  9. NIST SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations Whitepaper