MITRE DEFEND mapping to NIST 800-53 rev 5

[mlysaght2017]

@jared-lambert @eddie-knight @robmoffat - another mitre-nist mapping:

https://d3fend.mitre.org/mappings/nist/5/

[iMichaela]

It is important to use this mapping with care. The mapping of a control enhancement like AC-02(1) without the basic control AC-02 makes no sense in the context of a system since AC-02(1) cannot be implemented without implementing first AC-02. A very large number of 800-53 controls listed in this mapping are enhancements.

All latest 800-53 rev 5.1.1 controls can be found here, presented in a human-friendly format

So to implement AC-02(1) that reads:
~ ~ ~
AC-02(01): AUTOMATED SYSTEM ACCOUNT MANAGEMENT

SP 800-53 Control Enhancement
SP 800-53A Assessment Procedure
Both

Control Statement
Support the management of system accounts using [Assignment: organization-defined automated mechanisms]

Discussion:
Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.
~ ~ ~

you will need first AC-02: ACCOUNT MANAGEMENT

~ ~ ~

Control Statement
a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
b. Assign account managers;
c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
d. Specify:
1. Authorized users of the system;
2. Group and role membership; and
3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
g. Monitor the use of accounts;
h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
1. [Assignment: organization-defined time period] when accounts are no longer required;
2. [Assignment: organization-defined time period] when users are terminated or transferred; and
3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
i. Authorize access to the system based on:
1. A valid access authorization;
2. Intended system usage; and
3. [Assignment: organization-defined attributes (as required)];
j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];
k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
l. Align account management processes with personnel termination and transfer processes.
~ ~ ~

[netfl0]

We struggled mapping to the broader category as you suggest because D3FEND operates at an engineering level.

The control statement and its "sub-bullets", a.- .l, intermix processes, technical controls, and good ideas. It is difficult to specify which system components some of these things apply to, at an engineering level. Thus, some of these things are difficult to 'action' and understand implementation "sufficiency".

We're happy to discuss and collaborate on this further!

[iMichaela]

In my humble opinion and per my past experience, this kind of mapping can only be done at the implementation layer (per CSP technology/implementation). And Peter and I discussed it in the past outside of this effort. Fancy meeting you her, Peter :)

[damienjburks]

@mlysaght2017 - are we okay to close this out?