Friday, February 19, 2016

NIST Cyber Security Framework (CSF) Excel Spreadsheet

NIST Cybersecurity Framework Excel Spreadsheet

Go to the documents tab and look under authorities folder. Contains properly split-out table, database import sheet, search, and blind reverse map to 800-53r4.

Document: NIST Cybersecurity Framework.ver.xx
Documents Site:

Wednesday, February 17, 2016

Excel Spreadsheet: HHS-ONC Security Risk Assessment Tool & HIPAA Security Rule Toolkit

Posting Excel spreadsheets of the Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool ( and the NIST-provided HIPAA Security Rule Toolkit (

You can download Controls_HIPAA.ver.01c.xlsx under the Documents tab which takes you here:

Friday, February 5, 2016

Why you need to read the Summary of NIST SP 800-53 Revision 4

This is the most concise list of answers I've seen to the most commonly asked questions and misconceptions my customers, peers, and students have about NIST SP800-53r4.

Just read the table of contents for a readout on those topics... It will look as if someone is reading my email! Nice work Kelly, Greg, and Doug.

Summary of NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
Kelley Dempsey
Computer Security Division Information Technology Laboratory
Greg Witte
Doug Rike G2, Inc. Annapolis Junction, MD
February 19, 2014
Table of Contents

1 Introduction
2 NIST SP 800-53 Revision 4 and the Risk Management Framework (RMF)
3 Control Baselines and Tailoring
4 Documenting the Control Selection Process
5 Assurance
6 Security Controls
7 International Information Security Standards
8 Overlays
9 Privacy

Here's how I loosely explain it.
  • [Introduction] 800-53 was put in place to define controls for federal systems. Controls keep bad things from happening.
  • [RMF] This assumes the use of the Risk Management Framework. You cannot get away from this. Learn and use it. Repeatedly.
  • [Baselines and Tailoring] The baselines are not meant to be blindly applied. They must be tailored for your situation.
  • [Documentation] Document everything.
  • [Assurance] Systems assurance helps you sleep at night.
  • [Controls] Security controls enable you to protect your systems from bad stuff.
  • [International] Yes!! There is a tremendous amount of overlap between these recommendations and international ISO-IEC recommendations. Look at how they line up! Perfectly? No. But wave your hands and explain it away. Don't do that... that's a joke. Seriously. Don't do that.
  • [Overlays] NIST understands they don't cover every situation and expect you to document additional protections they don't cover. Call these overlays.
  • [Privacy] Here's an example overlay.
On my wish list is a NIST for Dummies explained using Legos...

Wednesday, February 3, 2016

DRAFT Automation Support for Security Control Assessments

Here is a draft release that came out tonight for public review. This is solid. Well-thought out. Really looking forward to where this goes, and I'm going to be following this closely.


**NIST IR 8011: DRAFT Automation Support for Security Control Assessments**

[From Executive Summary]
Evolving threats create a challenge for organizations that design, implement, and operate complex information systems containing many moving parts. The ability to assess all implemented information security controls as frequently as needed using manual procedural methods has become impractical and unrealistic for most organizations due to the sheer size, complexity, and scope of their information technology footprint. Additionally, the rapid deployment of new technologies such as mobile, cloud, and social media brings with it new risks that make ongoing manual procedural assessments of all controls impossible for the vast majority of organizations. Today there is broad agreement in the information security community that once an information system is in production, automation of security control assessments1 is needed to support and facilitate near real-time information security continuous monitoring (ISCM).

[From Introduction]
Automated assessments have the potential to provide more timely data about security control defects (i.e., the absence or failure of a control), better enabling organizations to respond before vulnerabilities are exploited. Additionally, automated security control assessment has the potential to be less expensive and less human resource-intensive than manual procedural testing. Any realized savings could free up resources to be used on other activities, for example, investing in additional safeguards or countermeasures or responding to security defects and incidents in a more timely manner.

[Planned Volumes]
Volume 1 Automation Support for Security Control Assessments
Volume 2 Hardware Asset Management (HWAM)
Volume 3 Software Asset Management (SWAM)
Volume 4 Configuration Settings Management
Volume 5 Vulnerability Management
Volume 6 Boundary Management (Physical, Filters, and Other Boundaries)
Volume 7 Trust Management
Volume 8 Security-Related Behavior Management
Volume 9 Credentials and Authentication Management
Volume 10 Privilege and Account Management
Volume 11 Event (Incident and Contingency) Preparation Management
Volume 12 Anomalous Event Detection Management
Volume 13 Anomalous Event Response and Recovery Management

Tuesday, February 2, 2016

SP 800-53A Revision 4 controls, objectives, CNSS 1253 Excel Spreadsheet

Here's a cleaned up and combined Excel spreadsheet version of Special Publication 800-53A r4 containing controls, objectives, and CNSS 1253 parameter values.

File: Controls_800_53r4_ver02e.xlsx

There are 3 spreadsheet tabs. The 1st one is organized by control enhancements, and the 2nd one is organized by controls. As a bonus, there is a simple search sheet in there. You can delete the table contents and paste any table contents and it will still work. Simply change the terms to search your spreadsheet.

XML download at NVD contains 2 parts, one labeled controls, and the other one is objectives: The spreadsheet available under downloads contains the information from both.

The original document can of course be found here:

PCI DSSv3.1 Controls, Guidance, Testing Procedures – Excel Spreadsheet

Go to the documents tab and you can download the spreadsheet containing the PCI DSS version 3.1 control requirements, guidance, and testing procedures.

Includes Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers and the new PCI DSS v3.1 Designated Entities Supplemental Validation.

File: Controls_PCIv3_1.xlsx


There are now 3 different tabs. The 1st tab is organized by the requirements as you see them inside of the Data Security Standard. The 2nd tab is organized by testing procedures. The 3rd tab can be used for searching. You can sort largest-smallest any of the columns to see which controls have the highest hit rate. You can then reorganize by primary key (PK). Enjoy! :-)