Using the NIST SP800-53rev4 uploaded with the assignment document, perform the tasks
below.
Problem statement:
A software development company is in a secret joint venture with a gaming company to produce
a next generation social media environment. The sharing of the iterative design, specifications,
and implementation is done using a cloud managed by a third-party provider.
Your tasks (which you may want to do in tandem rather than in order):
1. Review concepts related to determine a security capability in Section 2.6 of the NIST
SP800-53rev4, paying particular attention to the insert on page 21 of the document
(which is page 43 of the PDF).
a. (40 points) Determining Security Capabilities: Identify 4 distinct security
capabilities needed for the venture described in the problem statement above and
give each security capability a specific name.
b. (48 points) Justifications: Referring back to the problem statement, for each
security capability briefly describe (using 2- 4 well-crafted sentences for each
security capability) why it is a security capability that is needed and associate it
with the title you gave it in part 1a. You may have to add assumptions to the
problem statement from your perspective as the security expert. Those
assumptions should be part of your justification statements.
2. Examine the Family names in Section 2.2 of the NIST SP800-53rev4, and peruse some of
the controls per family in Appendix F of the NIST SP800-53rev4.
a. (50 points) Selection of Security Controls: Choose 4 security controls that must
span at least 3 families that are needed for the security capabilities identified in 1a
and 1b above. You cannot choose the 1st control, such as AC-1 or AU-1, of any
family. Using the identifier and the security control statement (you may cut and
paste this) for the security control and match to one of your 4 security capabilities.
Each security capability in part 1, must have a security control matched to it.
b. (12 points) Tailoring: If there are italics representing choices within the security
control statement, you must resolve those by filling them in to tailor the control to
your security capability. Maintain the italics for the tailoring of the security
control within the same part of the statement, so it is clear that you did the
tailoring.
c. (50 points) Justifications: For each match, provide a brief justification (using 2-
4 well-crafted sentences for each match justification) of the reasons for the control
selection and any tailoring performed. You may have to add assumptions to the
problem statement from your perspective as the security expert. Those
assumptions should be part of your justification statement.
