Select controls for an authorization package

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 1 minute to read

    • When the impact levels for the package have been approved, it is time to select baseline controls in the Select step.

    Before you begin

    Role required: To write to the sn_im_cont_baseline_control_objective table: sn_irm_cont_auth.system_owner, sn_irm_cont_auth.info_system_sec_officer, sn_irm_cont_auth.admin

    To access the Mark as Not Applicable button: sn_irm_cont_auth.info_system_sec_officer, sn_irm_cont_auth.info_system_sec_manager, sn_irm_cont_auth.admin.

    About this task

    When approval was received on the Authorization Package form, a Control overlays field and a series of Controls related lists appeared on the form.

    Procedure

    1. Click the Baseline Controls related list.
      It shows the baseline controls for the calculated impact level of the package. The number of controls to be implemented (as defined by NIST) depends on the Impact level (High, Moderate, and Low).
    2. You can perform the following actions on the list of controls.
      Table 1. Actions on Baseline Controls
      Action Description
      Add controls to the list Click Add, select the controls you want to add, and click Create Baseline Controls.
      Add controls using a control overlay Select a control overlay from the Control overlays field.
      Note:
      Privacy overlays and other types of control overlays may be mandated by government agencies, but you can create them to add a given number of controls to your list.
      Identify certain controls as being non-applicable Select the controls, click Mark as Not Applicable, enter a justification, and click Confirm. The controls you marked this way are removed from the Baseline Controls list to the Not Applicable Controls related list.
      Inherit controls from common controls You can create common controls to which other, subordinate controls can be assigned so they can inherit risk guidance from them. For example, if you have a control that handles an entire facility, you can identify related controls that will inherit protection and compliance from the common control. To create a common control, select the control, click Create Common Control, click OK to confirm. For information on allowing a control to inherit from a common control, see Inherit from a common control.
    3. Click Request Approval.

      An approval request is sent to the Authorizing Official, who will access My Approvals from the navigation pane and review the information in the package. When approval is received, the package transitions to the Implement state.

      To send the package back to the Categorize state, click Back to previous step. All baseline controls will be removed and the package must get approval to advance again to the Select state.