ISC2 Governance, Risk and Compliance (CGRC) Practice Question

A municipal water utility is selecting NIST SP 800-53 moderate-impact controls for a new SCADA system but realizes extra safety and availability requirements apply to industrial control environments. Per NIST, how should the team address these needs without altering the system's impact level?

Replace the moderate baseline entirely with the high-impact baseline but note that the impact level remains moderate.
Apply the industrial control system overlay to the moderate baseline and document the tailoring in the SSP.
Re-categorize the system as high-impact so the high baseline automatically covers any additional needs.
Keep the moderate baseline unchanged and record the unique ICS risks as accepted in the risk register.

Report Issue

Answer Description

NIST defines an overlay as a set of security-control specifications that tailors a baseline to unique technology, environmental, or mission needs-including industrial control systems-by adding, refining, or removing controls. Applying the ICS overlay (documented in NIST's industrial control system overlay publications) augments the moderate baseline with safety and operational-technology protections while leaving the original impact categorization intact. Re-categorizing to high impact or swapping in the high baseline would change the impact level or introduce unnecessary controls, and simply accepting the risks would ignore NIST's requirement to tailor baselines to address known gaps.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.