ABSTRACT
Stated differently, through the tasks associated with security control implementation, the organization incorporates the controls identified and approved as part of the security plan within the functional and technical requirements identified for the system and its overall design. In considering the implementation tasks, we need to remember that there are three major categories of security controls: managerial, technical, and operational. The NIST RMF identifies just two tasks associated with implementation: security control implementation and security control documentation. However, on reviewing Figure 5.1, you may conclude that the focus of the implementation step of the NIST RMF puts a greater degree of weight on the implementation of technical and operational controls, without much consideration to the managerial controls, requiring implementation in order to adequately mitigate all forms of cybersecurity risk. In this chapter, we discuss the tasks that are necessary for implementing all three control categories. We do so by exploring the implementation of operational and technical controls from the system perspective. We then look at the larger scope of the implementation of controls from the management perspective.
