Baseline tailor


A better way to build on the NIST framework

Joshua Lubell, a computer scientist at the National Institute of Standards and Technology, was getting tired of toggling back and forth between the agency’s Cybersecurity Framework and Special Publication 800-53 as he worked on the Cybersecurity for Smart Manufacturing Systems project. To make applying the technical documents easier, he created Baseline Tailor, an application that lets users reference the framework to determine the security posture and then tailor a subset of the SP 800-53 security controls to make that desire a reality.

Cybersecurity Finalists

APE: Novel Intrusion Prevention for Android
Department of Homeland Security

Baseline Tailor
National Institute of Standards and Technology, Department of Commerce

Continuous Diagnostics and Mitigation Program

Derived PIV Credentials for Mobile Devices
Federal Emergency Management Agency, DHS

Security Accreditation in the C2S Isolated Cloud Region
Intelligence Community


Click here for the full list of 2017 Dig IT finalists for all categories. And please join us at the Oct. 19 Dig IT Awards gala.

“The Cybersecurity Framework has this top-down organization where there are these five principal cybersecurity activities and then outcomes based on those activities and then sub-outcomes based on those outcomes,” Lubell said. “And then at the bottom of the hierarchy are these pointers to other sources of guidance, one of which is the 800-53 security control catalog.”

He added that “what we needed to do was relate that top-down hierarchy with the more bottom-up organization of 800-53, which has this comprehensive catalog of security controls. There are hundreds of them, and each control can be tailored according to a methodology that’s spelled out in 800-53.”

Baseline Tailor users start by clicking on the Cyber Framework tab in the graphical user interface and choosing a function and its subcategories. That process reveals the related SP 800-53 security controls. To tailor them, users click the needle and thread icon, which brings up the Security Control Editor tab. From there, users can set the baseline impact of the control at low, moderate or high.

“Then it builds this XML representation for you, and then you can take that XML representation and use it elsewhere,” Lubell said.

Other agencies are taking note. NASA is using the tool for its Space Apps Challenge, and more are likely to follow suit now that President Donald Trump’s cybersecurity executive order mandates that federal civilian agencies use the framework in conjunction with SP 800-53.

“I would expect that at least some people are going to want to use Baseline Tailor to do this,” Lubell said.

About the Author

Stephanie Kanowitz is a freelance writer based in northern Virginia.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.