Control Correlation Identifiers (CCIs) are standard identifiers and descriptions for actionable statements within an information assurance (IA) control or best practice, used as bridges between high level policy expressions and technical implementations found in audit files. They allow organizations to quickly locate any failed audit check configurations requiring remediation.
What is a CCI?
One of the more recent advancements in information security is the creation of CCIs (Control Control Indicators). A CCI provides an identifier and description for individual statements comprising controls or best practices that make up a control or best practice, thus simplifying compliance reporting processes. These identifiers act as intermediaries between statements made in policy documents and security settings that need to be assessed to assess compliance with those policies. CCIs may be used to represent multiple audit checks that identify whether security-relevant information in an information system can be accessed outside secure operating system states, as well as represent one configuration check within an OS. By using CCIs for compliance assessment results when comparing multiple technologies, compliance assessment results become much simpler to collate.
CCI Nomenclature
The CCI is a technical indicator similar to other momentum indicators that helps traders detect price reversals and extremes quickly and reliably, acting in concert with other elements in conducting technical assessments. Aside from CCI itself, trending indicators and price charts play an integral role.
CCIs are unbounded oscillators, meaning their levels do not occupy a defined range, making interpretation subjective and distinguishing when securities have been overbought or oversold can be challenging without additional price analysis tools.
When the CCI moves above +100, this could indicate the start of a new uptrend and may signal it is time for investors to purchase shares. Conversely, when it dips below -100 it could indicate that a downtrend has begun and thus selling would be appropriate.
CCI measures the ratio between positive prices and negative ones by dividing current positive price by previous negative price; typically, as more time passes between calculations of CCI values above and below zero increases accordingly.
Like its technical indicator counterparts such as stochastic oscillator, CCI does not bind itself to any specific level. Therefore it can give different buy and sell signals than others and traders use it to identify overbought or oversold conditions when combined with price analysis tools or momentum indicators like Bollinger Bands.
As part of DISA’s successful CCI initiative, references are now included in multiple Security Technical Implementation Guides (STIGs). This helps streamline risk-based configuration management processes.
In the past, many STIGS included references to CCI lists but these weren’t always linked directly to technical controls. CCI lists provide a standard identifier and description for every actionable statement within a security control or best practice; their existence acts as an intermediary between high-level policy expressions and technical implementations; helping ensure that any one control was implemented as planned while adhering to security policies.
CCI Controls
Defense Information Systems Agency (DISA) organizations must have all their systems securely configured. To assist this effort, our plugin for NIST 800-53 Version 4 contains indicators showing failed audit checks with CCI cross-references that help DISA users ensure compliance. See this example as proof!
This indicator displays the number of hosts with noncompliant configuration for the selected plugin.
CCI Enhancements
The Control Configuration Inventory List provides a standard identifier and description for “singular, actionable statements that compose a security control or best practice.” It serves as an intermediary between high level policies documents and individual configuration settings that need to be evaluated to assess compliance with compliance guidelines.
CCI can be an invaluable asset to those managing information systems that must pass audits and satisfy requirements set forth by Risk Management Framework (RMF). DISA Security Technical Implementation Guides have already started including references to CCI for audit checks they identify, automating some of the work involved with assessing compliance with RMF.
CCIs use parentheses when they refer to controls; when used without parentheses they’re called controls. Controls typically utilize periods or dots (e.g. AC-2(1).1). Furthermore, when it comes time to assess an individual system for compliance evaluation all its controls and CCIs must comply. Otherwise this could prove confusing; an assessment will only consider it compliant if all its CCIs and controls do comply.