Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
CNSSI 1253 overview
The Committee on National Security Systems Instruction No. 1253 (CNSSI 1253), Security Categorization and Control Selection for National Security Systems, provides all federal government departments, agencies, bureaus, and offices with a guidance for security categorization of National Security Systems (NSS) that collect, generate, process, store, display, transmit, or receive National Security Information. The National Institute of Standards and Technology (NIST) SP 800-59 Guideline for Identifying an Information System as a National Security System provides NSS definitions.
The CNSSI 1253 builds on the National Institute of Standards and Technology (NIST) SP 800-53, which provides the control baseline for Azure Government FedRAMP High authorization. However, there are some key differences between the CNSSI 1253 and NIST SP 800-53, including the approach adopted by the CNSSI 1253 to define explicitly the associations of Confidentiality, Integrity, and Availability to security controls, and to refine the use of security control overlays for the national security community.
NSS are categorized using separate Low, Medium, and High categorization for each of the security objectives (Confidentiality, Integrity, and Availability). This approach results in categorizations such as “Moderate-Moderate-Low”, “Moderate-Moderate-High”, and so on. CNSSI 1253 then provides the appropriate security baselines for each of the possible system categorizations using controls from NIST SP 800-53.
Azure and CNSSI 1253
To help you with your own CNSSI 1253 High-High-High baseline requirements, Azure Government has been validated by a FedRAMP-accredited independent third-party assessment organization (3PAO). The resulting Security Assessment Plan documents the testing conducted to validate Azure Government against a selection of CNSSI 1253 security controls for systems requiring High Confidentiality, High Integrity, and High Availability.
Azure Government maintains:
- FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
- Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level 5 (IL5) provisional authorization (PA) issued by the Defense Information Systems Agency (DISA)
Using these authorizations, the 3PAO performed an analysis of the security controls that have already been tested to determine which additional CNSSI 1253 security controls needed to be assessed to ensure compliance with the CNSSI 1253 High-High-High baseline. The 3PAO examined evidence and conducted interviews to validate the successful implementation of additional applicable security controls, and published the results of its complete testing in the CNSSI 1253 Security Assessment Report (SAR).
- Azure Government
Services in scope
- Azure services in scope for CNSSI 1253 reflect Azure Government FedRAMP High scope.
For instructions on how to access attestation documents using the Azure or Azure Government portal, see Audit documentation. The following document is available from the Azure Government portal:
- Azure Government – Attestation of Compliance with CNSSI 1253
The attestation of compliance with CNSSI 1253, which provides a 3PAO assessment of Azure Government compliance with the CNSSI 1253 High-High-High baseline.
How to implement
- Azure Government documentation provides tutorials and how-to guides to help you deploy and manage services using Azure Government.
Frequently asked questions
To whom does CNSSI 1253 apply? Customers with National Security Systems (NSS) must comply with CNSSI 1253 requirements and controls.
Which Azure environments have been tested against CNSSI 1253 security controls? Azure Government has been validated for compliance with CNSSI 1253 controls.
Where can I get the Azure CNSSI 1253 attestation documents? For links to audit documentation, see Attestation documents. You must have an existing Azure Government subscription or free Azure Government trial account to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- What is Azure Government?
- Explore Azure Government
- Microsoft for defense and intelligence
- CNSSI 1253 Security Categorization and Control Selection for National Security Systems
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-59 Guideline for Identifying an Information System as a National Security System