Control Applicability & Compliance Scoping

The guidance on this page contains two (2) topics of significant concern for Governance, Risk & Compliance (GRC) operations:

  1. Determining control applicability; and
  2. Defining the scope of cybersecurity controls (e.g., assessment boundary).

How Do You Define Control Applicability?

Control applicability needs to be addressed in a rational manner where cybersecurity and data protection controls should primariy apply to one (1) of the following five (5) functions:

  1. People - The control directly applies to humans (e.g., training, background checks, non-disclosure agreements, etc.);
  2. Processes - The control directly applies to administrative work performed (e.g., processes, procedures, administrative documentation, etc.);
  3. Technologies - The control directly applies to systems, applications and services (e.g., secure baseline configurations, patching, etc.);
  4. Data - The control directly applies to data protection (e.g., encrypting sensitive and/or regulated data, applying metatags, etc.); and
  5. Facilities - The control directly applies to infrastructure assets (e.g., physical access, HVAC systems, visitor control, etc.).

cybersecurity control applicability

People, Processes, Technologies, Data & Facilities (PPTDF)

While the importance of robust cybersecurity controls cannot be overstated, the applicability of those controls is sometimes in question. These examples help demonstrate the applicable nature of controls:

  • An employee (people) cannot have a secure baseline configuration applied;
  • An Incident Response Plan (IRP) (process) cannot sign a NDA, use MFA or be patched;
  • You cannot apply end user training to a firewall (technology);
  • Controlled Unclassified Information (CUI) (data) cannot be assigned roles and responsibilities; and
  • Your data center (facility) cannot undergo employee background screening.

The PPTDF model, encompassing People, Processes, Technology, Data and Facilities, provides a comprehensive approach to cybersecurity control applicability, as described in greater detail below:

Cybersecurity Control Applicability: People

People are often considered the weakest link in cybersecurity. Human error, negligence, or malicious intent can lead to significant vulnerabilities. To mitigate these risks, organizations implement human-specific controls such as:

  • Security Awareness Training: Educating employees about cybersecurity best practices and potential threats;
  • Access Controls: Enforcing the principle of least privilege to restrict access based on job roles; and
  • User Authentication and Authorization: Implementing strong authentication mechanisms and carefully managing user permissions.

Cybersecurity Control Applicability: Processes

Effective cybersecurity processes are essential for identifying, responding to, and mitigating threats. Common processes that exist as controls include:

  • Incident Response Plans: Establishing well-defined processes to respond promptly and effectively to security incidents;
  • Regular Audits and Assessments: Conducting periodic assessments to identify vulnerabilities and measure compliance with security policies; and
  • Change Management: Implementing controls to manage changes in technology and processes to avoid unintended security consequences.

Cybersecurity Control Applicability: Technologies

The technological aspect of cybersecurity involves deploying and configuring tools to protect against threats. Common technologies that exist as controls include:

  • Network Defenses: Filtering and monitoring network traffic to prevent unauthorized access (e.g., firewalls, Intrusion Protection Systems (IPS), Data Loss Prevention (DLP), etc.);
  • Endpoint Protection: Installing antimalware software, Endpoint Detection and Response (EDR) tools to secure individual devices, etc.; and
  • Encryption: Safeguarding data in transit and at rest through robust encryption mechanisms.

Cybersecurity Control Applicability: Data

Data is at the heart of the PPTDF model, making data protection truly the central focus of cybersecurity controls. There are many types of data that are considered sensitive/regulated that include, but are not limited to:

  • Controlled Unclassified Information (CUI);
  • Federal Contract Information (FCI);
  • Personally Identifiable Information (PII);
  • Cardholder Data (CHD);
  • Export-Controlled Data (ITAR / EAR);
  • Electronic Protected Health Information (ePHI);
  • Intellectual Property (IP);
  • Critical Infrastructure Information (CII);
  • Attorney-Client Privilege Information (ACPI); and
  • Student Educational Records (FERPA).

These data types have specific controls that are dictated by applicable laws, regulations or contractual obligations and include:

  • Data Classification: Data must be categorized to apply the appropriate security measures;
  • Limited Access: Data must be protected by limiting logical and physical access to data to individuals and systems that have a legitimate business need;
  • Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) Data: Data must be trustworthy, based on the data's currency, accuracy, integrity and/or applicability; and
  • Availability: Data must be available, which involves regularly backing up data and establishing effective data recovery mechanisms that protects the integrity and confidentiality of the data being backed up and recovered.

Cybersecurity Control Applicability: Facilities

Physical security is often overlooked but plays a crucial role in overall cybersecurity and data protection. Common physical controls include:

  • Physical Access Control (PAC): Restricting physical access to any facility where systems or data exist. PAC exists in more than datacenters and corporate offices. The concept of PAC extends to home offices and Work From Anywhere (WFA) workers who still have an obligation to apply physical security protections to their systems and data;
  • Surveillance Systems: Monitoring and recording activities within facilities to detect and deter unauthorized access; and
  • Environmental Controls: Maintaining optimal conditions for hardware to prevent damage or disruptions.

The PPTDF model shows that a multi-faceted approach to control applicability is indispensable, where it can create a resilient defense against a myriad of physical and cyber threats. A proactive stance in implementing and refining these controls will be crucial in securing the ever-expanding digital frontier.

How Do You Scope An Assesment Boundary For Cybersecurity Controls?

The Unified Scoping Guide (USG) is a free resource that is intended to help organizations define the scope of the sensitive data where it is stored, transmitted and/or processed. This guide will refer to both sensitive and regulated data as “sensitive data” to simplify the concept this document is focused on. This model categorizes system components according to several factors:

  • Whether sensitive data is being stored, processed or transmitted;
  • The functionality that the system component provides (e.g. access control, logging, antimalware, etc.); and
  • The connectivity between the system and the sensitive data environment.

Unified Scoping Guide (USG)

This is an evolution of the CUI Scoping Guide that ComplianceForge previously published. This new version is updated to reflect the DoD's CMMC 2.0 Level 2 Scoping Guidance that includes Controlled Unclassified Information (CUIscoping considerations, but expands on the model to address a broader category of sensitive and regulated data. This document can be used to help companies define what is in scope to comply with NIST SP 800-171 and appropriately prepare for a CMMC assessment, since a significant step towards becoming NIST SP 800-171 compliant and being able to pass a CMMC assessment is understanding the scope of the CUI environment.

The USG is intended to help organizations define the scope of the sensitive data where it is stored, transmitted and/or processed. This guide refers to both sensitive and regulated data as “sensitive data” to simplify the concept this document is focused on.

Unified Scoping Guide (USG) Zone-Based Approach To Implementing Data-Centric Security

When viewing scoping, there are nine (9) zones for sensitive data compliance purpose.

Unified Scoping Guide (USG) - sensitive and regulated data CUI scoping guide

  1. Sensitive Data Assets: The first zone contains systems, services and applications that directly store, transmit and/or process sensitive data.
  2. Segmenting: The second zone contains “segmenting systems” that provide access (e.g., firewall, hypervisors, etc.).
  3. Security Tools: The third zone contains “security tools” that directly impact the integrity of category 1 and 2 assets (e.g., Active Directory, centralized antimalware, vulnerability scanners, IPS/IDS, etc.).
  4. Connected. The fourth zone contains connected systems. These are systems, embedded technologies, applications or services that have some direct or indirect connection into the sensitive data environment. Systems, embedded technologies, applications and services that may impact the security of (for example, name resolution or web redirection servers) the sensitive data environment are always in scope. Essentially, it something can impact the security of sensitive data, it is in scope.
  5. Out-of-Scope. The fifth zone contains out-of-scope systems that are completely isolated from the sensitive data systems.
  6. Enterprise-Wide. The sixth zone addresses the organization’s overall corporate security program (cyber and physical).
  7. External Service Provider. The seventh zone addresses supply-chain security with the “flow down” of contractual requirements to External Service Providers (ESPs) that can directly or indirectly influence the sensitive data environment. ESPs are third-party organizations that provide services to the organizations.
  8. Subcontractors. The eighth zone addresses subcontractors, which are third-party organizations that are party to the actual execution of the contract where the subcontractor may create, access, receive, store and/or transmit regulated data (sensitive data).
  9. Cloud Service Provider. The nineth zone addresses CSPs, which are a specialized form of ESP. An ESP is a CSP when it offers “cloud computing services” that enable ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction