Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)

CNSSI 1253 overview

The Committee on National Security Systems Instruction No. 1253 (CNSSI 1253), Security Categorization and Control Selection for National Security Systems provides all federal government departments, agencies, bureaus, and offices with a guidance for security categorization of National Security Systems (NSS) that collect, generate, process, store, display, transmit, or receive National Security Information. NIST SP 800-59 Guideline for Identifying an Information System as a National Security System provides NSS definitions.

The CNSSI 1253 builds on the NIST SP 800-53, which provides the control baseline for Azure Government FedRAMP High authorization. There are, however, some key differences between the CNSSI 1253 and NIST SP 800-53, including the approach adopted by the CNSSI 1253 to define explicitly the associations of Confidentiality, Integrity, and Availability to security controls, as well as to refine the use of security control overlays for the national security community.

NSS are categorized using separate Low, Medium, and High categorization for each of the security objectives (Confidentiality, Integrity, and Availability), resulting in categorizations such as “Moderate-Moderate-Low”, “Moderate-Moderate-High”, etc. CNSSI 1253 then provides the appropriate security baselines for each of the possible system categorizations using controls from NIST SP 800-53.

Azure and CNSSI 1253

To assist customers who require support for the CNSSI 1253 High-High-High baseline, Azure Government has been validated by a FedRAMP-accredited independent third-party assessment organization (3PAO). The resulting Security Assessment Plan documents the testing conducted to validate Azure Government against a selection of CNSSI 1253 security controls for systems requiring High Confidentiality, High Integrity, and High Availability.

Azure Government maintains a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the Joint Authorization Board (JAB), and a Department of Defense Provisional Authorization (PA) at Impact Level 5 of the Cloud Computing Security Requirements Guide (SRG). Using these authorizations, the 3PAO performed an analysis on the security controls that have already been tested to determine which additional CNSSI 1253 security controls needed to be assessed to ensure compliance with the CNSSI 1253 High-High-High baseline. The 3PAO examined evidence and conducted interviews to validate the successful implementation of additional applicable security controls, and published the results of its complete testing in the CNSSI 1253 Security Assessment Report (SAR).

Applicability

  • Azure Government

Services in scope

  • Azure services in scope for CNSSI 1253 reflect Azure Government FedRAMP High scope.

Attestation documents

You can access audit reports and certificates in the Azure Government portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using the following direct link (login required):

The following documents are available:

  • Azure Government - Attestation of Compliance with CNSSI 1253

You must have an existing Azure Government subscription or free Azure Government trial account to download the attestation of compliance with CNSSI 1253, which provides a 3PAO assessment of Azure Government compliance with the CNSSI 1253 High-High-High baseline.

How to implement

Frequently asked questions

To whom does CNSSI 1253 apply?
Customers with National Security Systems (NSS) must comply with CNSSI 1253 requirements and controls.

Which Azure environments have been tested against CNSSI 1253 security controls?
Azure Government has been validated for compliance with CNSSI 1253 controls.

Where can I get the Azure CNSSI 1253 attestation documents?
For links to audit documentation, see Attestation documents. You must have an existing Azure Government subscription or free Azure Government trial account to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Resources