Control Tailoring

Control Tailoring: A Comprehensive Guide for CGRC Exam Preparation

Control Tailoring: Understanding, Applying, and Mastering for the CGRC Exam

1. Why Control Tailoring Is Important

Control tailoring is a critical concept within the Risk Management Framework (RMF) and is essential for organizations seeking to implement security and privacy controls that are both effective and efficient. Without tailoring, organizations would be forced to apply a rigid, one-size-fits-all set of controls that may not appropriately address their unique risk environment, mission requirements, operational constraints, or technological landscape.

The importance of control tailoring includes:

• Operational Relevance: Not every control in a baseline is applicable to every system. Tailoring ensures that the controls selected are relevant to the specific information system and its operating environment.

• Cost Efficiency: Implementing unnecessary controls wastes resources. Tailoring allows organizations to focus investments on controls that genuinely reduce risk.

• Risk Alignment: Tailoring helps organizations align their security posture with their actual risk profile rather than applying generic protections that may leave gaps or create unnecessary overhead.

• Regulatory Compliance: Many regulatory frameworks and authorizing officials require documented tailoring decisions to demonstrate due diligence and risk-based decision-making.

• Mission Success: By adapting controls to the operational environment, tailoring ensures that security measures support rather than hinder the organization's mission.

2. What Is Control Tailoring?

Control tailoring is the process of modifying, supplementing, or adjusting a set of baseline security and privacy controls to align them with an organization's specific conditions, threat landscape, risk tolerance, mission requirements, and operational environment.

According to NIST SP 800-53 and NIST SP 800-53B, control tailoring involves taking an initial control baseline (Low, Moderate, or High) and customizing it to fit the particular needs of the system and the organization. This is a formal, documented process that occurs during the Select step of the Risk Management Framework (RMF).

Control tailoring is not about arbitrarily removing controls to reduce effort. It is a disciplined, risk-informed process that must be justified, documented, and approved by the appropriate authorizing official or designated representative.

Key Definitions:
• Control Baseline: A predefined set of minimum security and privacy controls for a system based on its impact level (Low, Moderate, High) as defined in FIPS 199 and NIST SP 800-53B.
• Tailoring: The process of adjusting the baseline to meet the specific needs of the system and organization.
• Tailored Baseline: The resulting set of controls after tailoring activities have been completed.

3. How Control Tailoring Works

The tailoring process follows a structured set of activities. According to NIST guidance, the key tailoring activities include:

Step 1: Identifying and Designating Common Controls
Determine which controls in the baseline are provided by the organization as common (inherited) controls. Common controls are implemented at the organizational level and inherited by individual systems. If a common control fully satisfies the requirement, the system does not need to implement it independently.

Step 2: Applying Scoping Considerations
Scoping considerations help determine the applicability of controls based on factors such as:
• Technology-related considerations: Some controls apply only to specific technologies (e.g., wireless, mobile, cloud). If the technology is not present in the system, the associated controls may not be applicable.
• Infrastructure-related considerations: Physical and environmental controls may not apply if the system operates in a hosted or shared environment where those controls are managed elsewhere.
• Public access considerations: Systems providing public access may need different controls than those restricted to internal users.
• Scalability considerations: Controls may need to be scaled up or down based on the size and complexity of the system.
• Security objective-related considerations: Controls may be adjusted based on which security objectives (confidentiality, integrity, availability) are most critical for the system.

Step 3: Selecting Compensating Controls
When an organization determines that a baseline control cannot be implemented as specified, a compensating control may be selected. A compensating control provides equivalent or comparable protection through alternative means. The compensating control must:
• Address the same threat or vulnerability as the original control
• Provide a similar level of protection
• Be documented and justified

Step 4: Assigning Parameter Values
Many controls in NIST SP 800-53 include assignment or selection operations (indicated by brackets such as [Assignment: organization-defined frequency]). During tailoring, the organization defines specific parameter values for these operations. For example, specifying that audit logs must be reviewed "weekly" or that passwords must be changed every "90 days."

Step 5: Supplementing the Baseline
Organizations may add controls beyond the baseline if the risk assessment indicates additional protections are necessary. This is common when:
• Threat intelligence reveals elevated risks
• The system processes highly sensitive data
• Legal, regulatory, or contractual obligations require additional controls
• Organizational risk tolerance demands stronger protections

Step 6: Providing Justification for Tailoring Decisions
All tailoring decisions must be documented with sufficient detail and rationale. This documentation becomes part of the system security plan (SSP) and is reviewed during the authorization process. The authorizing official (AO) must approve the tailored baseline.

4. Tailoring in the Context of the RMF

Control tailoring primarily occurs during RMF Step 2: Select Security Controls, but it is informed by activities in other steps:

• Step 1 - Categorize: The system categorization (using FIPS 199/FIPS 200) determines the initial control baseline. This directly influences tailoring.
• Step 2 - Select: Tailoring is the core activity of this step. The organization starts with the baseline and applies tailoring activities.
• Step 3 - Implement: Tailored controls are implemented in the system.
• Step 4 - Assess: Assessors evaluate whether tailored controls are implemented correctly and operating as intended.
• Step 5 - Authorize: The AO reviews the tailored baseline and risk posture to make an authorization decision.
• Step 6 - Monitor: Tailoring decisions are revisited as the threat environment and system evolve.

5. Key NIST References for Control Tailoring

• NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations — provides the control catalog
• NIST SP 800-53B: Control Baselines for Information Systems and Organizations — defines the Low, Moderate, and High baselines
• NIST SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations — describes the RMF steps including the Select step
• NIST SP 800-30: Guide for Conducting Risk Assessments — informs tailoring decisions with risk data
• FIPS 199: Standards for Security Categorization — determines the impact level that drives baseline selection
• FIPS 200: Minimum Security Requirements for Federal Information and Information Systems

6. Common Misconceptions About Control Tailoring

• Misconception: Tailoring means removing controls you do not want to implement.
Reality: Tailoring is a risk-informed process. Removing a control requires documented justification and approval. It is not about convenience.

• Misconception: Tailoring only involves removing controls.
Reality: Tailoring can also involve adding controls (supplementing), adjusting parameters, replacing controls with compensating alternatives, and designating common controls.

• Misconception: Tailoring is optional.
Reality: The RMF expects organizations to tailor baselines. Applying a baseline without tailoring may result in an inadequate or inefficient security posture.

• Misconception: The system owner alone decides on tailoring.
Reality: While the system owner proposes tailoring decisions, they must be reviewed and approved by the authorizing official (AO).

7. Exam Tips: Answering Questions on Control Tailoring

When answering CGRC exam questions on control tailoring, keep the following strategies in mind:

Tip 1: Know Where Tailoring Fits in the RMF
Control tailoring occurs in RMF Step 2: Select. If a question asks when tailoring happens, always associate it with the Select step. Do not confuse it with implementation (Step 3) or assessment (Step 4).

Tip 2: Understand the Difference Between Tailoring and Scoping
Scoping is a subset of the tailoring process. Scoping considerations help determine applicability, while tailoring is the broader process that includes scoping, adding compensating controls, assigning parameters, supplementing, and designating common controls.

Tip 3: Remember That Tailoring Requires Documentation and Approval
If an exam question presents a scenario where controls are being removed without documentation or without AO approval, that is likely the incorrect approach. Tailoring decisions must always be documented in the SSP and approved by the appropriate authority.

Tip 4: Compensating Controls Are Not Identical to Original Controls
A compensating control provides equivalent or comparable protection through an alternative mechanism. If a question asks about substituting a control, look for the answer that describes an alternative providing similar protection — not a lesser control.

Tip 5: Risk Assessment Informs Tailoring
Tailoring decisions should be based on the results of the risk assessment. If a question asks what drives tailoring decisions, the answer typically involves risk assessment findings, threat intelligence, organizational risk tolerance, and mission requirements.

Tip 6: Watch for Keyword Triggers
Exam questions may use keywords like "adjust," "modify," "supplement," "compensating control," "scoping," "baseline customization," or "organization-defined parameters." These all relate to tailoring activities.

Tip 7: Understand Common Controls vs. System-Specific Controls
Common controls are inherited from the organization or another system. System-specific controls are implemented by the individual system. Hybrid controls have both common and system-specific elements. Understanding this distinction is essential for tailoring questions.

Tip 8: Adding Controls Beyond the Baseline Is Also Tailoring
Do not fall into the trap of thinking tailoring only reduces the number of controls. Supplementing — adding controls beyond the baseline — is an equally valid and important tailoring activity.

Tip 9: The AO Has Final Authority
The authorizing official (AO) reviews and approves the tailored baseline as part of the authorization decision. If a question asks who approves tailoring decisions, the answer is typically the AO.

Tip 10: Use the Process of Elimination
When you encounter a tailoring question and are unsure of the correct answer, eliminate options that:
• Suggest tailoring without documentation
• Place tailoring in the wrong RMF step
• Describe tailoring as purely a technical activity without management involvement
• Imply that tailoring is optional or unnecessary

8. Summary

Control tailoring is a foundational concept in the NIST Risk Management Framework and a critical topic for the CGRC examination. It is the process of customizing a control baseline to fit an organization's unique environment through activities such as designating common controls, applying scoping considerations, selecting compensating controls, assigning specific parameter values, and supplementing the baseline with additional controls. All tailoring decisions must be risk-informed, thoroughly documented, and approved by the authorizing official. Mastering this concept will help you answer exam questions accurately and apply sound risk management practices in real-world scenarios.