Recommended Security Controls for Federal Information Systems Annex 3: High-Impact Baseline [open pdf - 633KB]
"Organizations are required to employ security controls to meet security requirements defined by applicable laws, Executive Orders, directives, policies, standards, or regulations (e.g., Federal Information Security Management Act, OMB Circular A-130, Appendix III). The challenge for organizations is to determine the appropriate set of security controls, which if implemented and determined to be effective in their application, would most cost-effectively comply with the stated security requirements. Selecting the appropriate set of security controls to meet the specific, and sometimes unique, security requirements of an organization is an important task-a task that demonstrates the organization's commitment to security and the due diligence exercised in protecting the confidentiality, integrity, and availability of its information and information systems. The ultimate objective is to implement information systems that are dependable in the face of threats. To assist organizations in making the appropriate selection of security controls for their information systems, the concept of baseline controls is introduced. Baseline controls are the initial security controls recommended for an information system based on the system's security categorization in accordance with FIPS 199. [...] Organizations are expected to apply the tailoring guidance described in Section 3.3 of NIST Special Publication 800-53 (as amended) to the initial low-impact baseline security controls-producing a tailored baseline. The tailored security control baseline serves as the starting point for organizations in determining the appropriate safeguards and countermeasures necessary to protect their information systems."
NIST Special Publication 800-53, Revision 3 Excerpt
National Institute of Standards and Technology: http://www.nist.gov/