Newbie question about controls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2025 09:59 AM
Using the NIST controls, on Washington. Some controls have 'fill in the blanks' like this one;
Maintain and review visitor access records using [Assignment: organization-defined automated mechanisms].
I change the Control objective to say:
Maintain and review visitor access records using Microsoft Excel.
From now on, all packages would say that when the baseline control is loaded.
But say that works for all but one department, and that department instead wants to use Microsoft Access.
And they want that to show in the SSP.
How do you go about modifying a control objective or giving the user the ability to modify the control objective so they can update/insert info specific to their process for that control?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2025 02:36 AM
I would suggest the best approach here is to keep your Control Objective aligned with your company's baseline expectation (e.g., "Microsoft Excel" as you've set it).
When a specific department requires a different tool like Microsoft Access, you don't modify the Control Objective itself. Instead, you modify the individual Control record that's linked to that objective for that particular department. This allows you to document the specific tool (Microsoft Access) within the Control's implementation details or a custom field, ensuring it's accurately reflected in their System Security Plan (SSP) while maintaining the integrity of your overarching Control Objective.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2025 04:23 AM
Once you load the control from the control objective, you can untick the check box "Inherit from the control objective". This will make the description field enabled again, You can update the description and you can change the Name of the Control.
The relationship with control objective to control will not be broken in this way. So you can check the control objective and the compliance score also will be updated in this method.
If the requirment is under CAM (Continous Authorization & Monitoring) module Controls, this is not possible as CAM Controls are doesn't have the option to untick the "inherit from the control objective"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2025 09:08 AM
That makes sense, but I can't change the description on the control. It's read only on the form even though I have all CAM roles assigned. I can edit the control description in list view however. What am I missing? I'm in the Implement state.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2025 05:25 AM
@LKSN - This is weird, Description being read only for Admins or even for Control Owner. Maybe you can copy description in Additional Information field and modify as needed. Otherwise, list view is anyway there. Do let us know if this gets sorted.
