Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)

CNSSI 1253 overview

The Committee on National Security Systems Instruction No. 1253 (CNSSI 1253), Security Categorization and Control Selection for National Security Systems, provides all federal government departments, agencies, bureaus, and offices with a guidance for security categorization of National Security Systems (NSS) that collect, generate, process, store, display, transmit, or receive National Security Information. The National Institute of Standards and Technology (NIST) SP 800-59 Guideline for Identifying an Information System as a National Security System provides NSS definitions.

The CNSSI 1253 builds on the National Institute of Standards and Technology (NIST) SP 800-53, which provides the control baseline for Azure Government FedRAMP High authorization. However, there are some key differences between the CNSSI 1253 and NIST SP 800-53, including the approach adopted by the CNSSI 1253 to define explicitly the associations of Confidentiality, Integrity, and Availability to security controls, and to refine the use of security control overlays for the national security community.

NSS are categorized using separate Low, Medium, and High categorization for each of the security objectives (Confidentiality, Integrity, and Availability). This approach results in categorizations such as “Moderate-Moderate-Low”, “Moderate-Moderate-High”, and so on. CNSSI 1253 then provides the appropriate security baselines for each of the possible system categorizations using controls from NIST SP 800-53.

Azure and CNSSI 1253

To help you with your own CNSSI 1253 High-High-High baseline requirements, Azure Government has been validated by a FedRAMP-accredited independent third-party assessment organization (3PAO). The resulting Security Assessment Plan documents the testing conducted to validate Azure Government against a selection of CNSSI 1253 security controls for systems requiring High Confidentiality, High Integrity, and High Availability.

Azure Government maintains:

  • FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
  • Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level 5 (IL5) provisional authorization (PA) issued by the Defense Information Systems Agency (DISA)

Using these authorizations, the 3PAO performed an analysis of the security controls that have already been tested to determine which additional CNSSI 1253 security controls needed to be assessed to ensure compliance with the CNSSI 1253 High-High-High baseline. The 3PAO examined evidence and conducted interviews to validate the successful implementation of additional applicable security controls, and published the results of its complete testing in the CNSSI 1253 Security Assessment Report (SAR).

Applicability

  • Azure Government

Services in scope

  • Azure services in scope for CNSSI 1253 reflect Azure Government FedRAMP High scope.

Attestation documents

You can access audit reports and certificates in the Azure Government portal by navigating to Home > Microsoft Defender for Cloud > Regulatory compliance > Audit reports or using the following direct link (sign in required):

The following documents are available:

  • Azure Government – Attestation of Compliance with CNSSI 1253

You must have an existing Azure Government subscription or free Azure Government trial account to download the attestation of compliance with CNSSI 1253, which provides a 3PAO assessment of Azure Government compliance with the CNSSI 1253 High-High-High baseline.

How to implement

Frequently asked questions

To whom does CNSSI 1253 apply?
Customers with National Security Systems (NSS) must comply with CNSSI 1253 requirements and controls.

Which Azure environments have been tested against CNSSI 1253 security controls?
Azure Government has been validated for compliance with CNSSI 1253 controls.

Where can I get the Azure CNSSI 1253 attestation documents?
For links to audit documentation, see Attestation documents. You must have an existing Azure Government subscription or free Azure Government trial account to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Resources