Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)

CNSSI 1253 overview

The Committee on National Security Systems Instruction No. 1253 (CNSSI 1253), Security Categorization and Control Selection for National Security Systems, provides all federal government departments, agencies, bureaus, and offices with a guidance for security categorization of National Security Systems (NSS) that collect, generate, process, store, display, transmit, or receive National Security Information. The National Institute of Standards and Technology (NIST) SP 800-59 Guideline for Identifying an Information System as a National Security System provides NSS definitions.

CNSSI 1253 builds on the National Institute of Standards and Technology (NIST) SP 800-53, which provides the control baseline for Azure Government FedRAMP High authorization. However, there are some key differences between CNSSI 1253 and NIST SP 800-53, including the approach adopted by CNSSI 1253 to define explicitly the associations of Confidentiality, Integrity, and Availability to security controls, and to refine the use of security control overlays for the national security community.

NSS are categorized using separate Low, Medium, and High categorization for each of the security objectives (Confidentiality, Integrity, and Availability). This approach results in categorizations such as “Moderate-Moderate-Low”, “Moderate-Moderate-High”, and so on. CNSSI 1253 then provides the appropriate security baselines for each of the possible system categorizations using controls from NIST SP 800-53.

Azure and CNSSI 1253

To help you with your own CNSSI 1253 High-High-High baseline requirements, Azure Government has been validated by a FedRAMP-accredited independent third-party assessment organization (3PAO). The resulting Security Assessment Plan documents the testing conducted to validate Azure Government against a selection of CNSSI 1253 security controls for systems requiring High Confidentiality, High Integrity, and High Availability.

Azure Government maintains:

  • FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
  • Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level 5 (IL5) provisional authorization (PA) issued by the Defense Information Systems Agency (DISA)

Using these authorizations, the 3PAO performed an analysis of the security controls that have already been tested to determine which additional CNSSI 1253 security controls needed to be assessed to ensure compliance with the CNSSI 1253 High-High-High baseline. The 3PAO examined evidence and conducted interviews to validate the successful implementation of additional applicable security controls, and published the results of its complete testing in the CNSSI 1253 Security Assessment Report (SAR).

Applicability

  • Azure Government

Services in scope

  • Azure services in scope CNSSI 1253 reflect the Azure Government FedRAMP High P-ATO scope. For more information, see Cloud services in audit scope.

Attestation documents

For instructions on how to access attestation documents, see Audit documentation. The following attestation letter is available from the Service Trust Portal (STP) United States Government section:

  • Azure Government – Attestation of Compliance with CNSSI 1253

The attestation of compliance with CNSSI 1253 provides a 3PAO assessment of Azure Government compliance with the CNSSI 1253 High-High-High baseline.

How to implement

Frequently asked questions

To whom does CNSSI 1253 apply?
Customers with National Security Systems (NSS) must comply with CNSSI 1253 requirements and controls.

Which Azure environments have been tested against CNSSI 1253 security controls?
Azure Government has been validated for compliance with CNSSI 1253 controls.

Where can I get the Azure CNSSI 1253 attestation documents?
For links to audit documentation, see Attestation documents.

Resources