Question 1
Where should teams record the inheritance decision under NIST SP 800-53 Rev. 5?
Record the decision in the system security plan or privacy plan, and tie it to the common control provider when the control is inherited rather than implemented by the system itself.
If the control is provided by a common control provider, the inheriting system should point to the provider's assessment results instead of treating the control as a local implementation. If the system implements the control itself, document it in the system's own control set and supporting evidence.
- Document inherited controls in the system security plan or privacy plan with a reference to the common control provider.
- Treat the control as inherited only when the protection measure is supplied by another system or organizational entity and the inheriting system is verifying that inheritance.
- Treat the control as locally implemented when the system itself provides the control and must be assessed at the system level.
- Set a review trigger so the inheritance decision is revisited after changes to the source control, system boundary, supplier, or operating environment.
Citations
Primary NIST source for the integrated security and privacy control catalog.
Primary NIST source for control assessment objectives, methods, depth, and coverage.
NIST RMF source for identifying common controls and documenting control inheritance across systems.