NIST Baseline Navigator

NIST Document Map

NIST 800-30

Risk Assessment

↓

Baseline Selection

NIST 800-171

CUI (Contractors)

NIST 800-66

PHI (Healthcare)

NIST 800-82

OT / ICS

FIPS 199

Federal Categorization

NIST 800-53B

Control Baselines

↓

NIST 800-53

Catalog of Controls

↓

NIST 800-53A

Control Assessments

In this exercise you will take on the role of a newly assigned Information Systems Security Officer (ISSO) at a fictional organization. You will guide the organization through the key steps of the NIST compliance process.

The exercise has four stages:

Stage 1 — Know Your Environment: Read your organization's briefing and identify the key facts that drive compliance decisions.
Stage 2 — Select Your Baseline: Choose the NIST document that applies to your organization.
Stage 3 — Baseline Lookup: Given six controls from NIST 800-53, consult your baseline document and determine which are part of the baseline.
Stage 4 — Demonstrate Your Controls: Explain how you would show that selected controls are working.

To begin: enter your name and salt above, select a scenario, then click Begin.
Your instructor will tell you which scenario to use. If no scenario is assigned, select one yourself.

Organization Briefing

Stage 1 — Extract Key Facts

Read the briefing above and answer the following questions. Select one answer per question, then click Submit.

Stage 2 — Select Your Baseline Document

Stage 2.5 — FIPS 199 System Categorization

Federal agencies must categorize their systems using FIPS 199 before selecting a control baseline. Assign an impact level (Low, Moderate, or High) for each security objective, then click Submit.

Stage 3 — Baseline Lookup

Stage 4 — Demonstrate Your Controls

For each control below, select how you would demonstrate that it is working. Choose the best answer, then click Submit.