Can NIST prioritize its recommended security controls to establish which controls agencies should deploy first?
Prioritizing security controls in the baselines recommended by NIST would place emphasis on selected security controls at the expensive of other, equally important controls. In addition, providing public prioritization of baseline security requirements and controls would give threat agents and adversaries important information which would be damaging to federal agencies in giving visibility into their protection strategies. The approach recommended by NIST, centered around the Risk Management Framework, provides federal agencies with a disciplined, structured, and flexible process to select appropriate security controls for their information systems, a methodology to determine the effectiveness of those controls, and visibility into the residual risks to the organizations operations and assets, individuals, other organizations (partnering with the organization), and the Nation. The deployment of security controls uses a defense-in-depth approach which combines management, operational,