U.S. Department of Health and Human Services
A system’s set of baseline security controls (low, moderate, or high), required by NIST SP 800-53 Revision 3: Recommended Security Controls for Federal Information Systems, will correspond to the system’s security category, which is determined by utilizing the FIPS 199: Standards for Security Categorization of Federal Information and Information Systems.
The minimal set of security controls may be augmented or refined, as necessary, throughout the EPLC. All planned and implemented security controls are documented within the SSP.
Furthermore, after assessing risk to the system, additional controls may be necessary to lower the acceptable level of risk to the system. A Risk Assessment profiles a system’s security risk and provides the rationale for any supplemental controls necessary.
Page 2 of 5
Development Phase Security
Security Control Selection & Refinement