Ensuring the security of information systems is a complex but necessary task that virtually every modern organization must undertake to some degree or another. One effective method of tackling information system security is to use the Risk Management Framework (RMF) developed by the National Institute of Standard and Technology (NIST). Though this framework will help an organization walk through the critical steps in the process of establishing controls to mitigate information system risks, it does not directly instruct on what controls should be used to mitigate these risks. This is where NIST’s Special Publication 800-53 (also referred to as NIST 800-53) comes in. NIST 800-53 is a catalog published by NIST that provides security and privacy controls to mitigate risks to information systems. In this article we’ll describe why NIST 800-53 is important, explore the control systems outlined in NIST 800-53, and illustrate how federal agencies can leverage this catalog to protect their information systems. 

What is NIST 800-53? 

NIST 800-53 is a catalog of security and privacy controls with the purpose of protecting information systems. This catalog is published by NIST and all U.S federal information systems (aside from those related to national security) are required to be compliant with NIST standards and guidelines.  NIST 800-53 works with the NIST RMF (NIST SP 800-37 rev 2) to support the steps in the process pertaining to the selection of initial baseline security controls, tailoring baseline security controls to specific risks, and supplementing security controls based on NIST risk assessments.  

Who is NIST 800-53 Mandatory for? 

In accordance with the provisions of the Federal Information Security Modernization Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, all U.S. federal information systems must be compliant with NIST security standards and guidelines (including NIST 800-53). The only exception to this is information systems that have been designated as national security systems (NSS), which are governed by Committee on National Security Systems (CNSS) Instruction No. 1253. CNSS 1253 is a companion document to NIST SP 800-53. Therefore, NIST 800-53 is mandatory for federal information systems and NSS. NIST 800-171 mandates the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations.  NIST 800-171 security requirements are derived primarily from the security controls in NIST 800-53. The NIST 800-53 Rev 5 regulations included the removal of the term “federal”, as an indication that these regulations may be utilized by non-federal organizations. The clear direction forward will be that NIST 800-53 will be mandatory for any organization or system that processes, stores, and/or transmits CUI or provides protection for such components. 

4 Reasons Why NIST 800-53 Matters 

Aside from mandatory compliance for federal organizations, there are a number of additional benefits to complying with NIST 800-53 that make it an attractive standard for information system security. In light of these benefits, even non-federal organizations may consider voluntarily complying with NIST 800-53 to secure their organization’s information systems.  Below are 4 of the main benefits to any organization when utilizing NIST 800-53 in securing their information systems:  

1. Increase Information System Security 

Increasing the security of information systems and organizations is the most obvious benefit of utilizing NIST 800-53. This increase in security will protect organizations operations and assets, individuals, other organizations, and the Nation from diverse set of security threats and risks. A key step in the NIST RMF is the “Select” step, which selects controls to mitigate risks that were identified and categorized in previous steps. Leveraging the NIST 800-53 catalog in this step will not only provide robust baseline controls but the ability to supplement and tailor those controls to meet specific organizational needs. The controls outlined in the catalog are proven through practice, and proper implementation will undoubtedly improve the security of an organization’s information systems.  

2. Save Time and Resources 

Mitigating risks to information systems is not a trivial task. Designing, implementing, and monitoring the RMF process requires dedicated resources both for initial setup and ongoing maintenance and support. There may be a variety of methods available to mitigate a given risk, which can make selecting effective and efficient controls a significant challenge. By consulting the NIST 800-53 catalog, an organization can utilize predefined profiles, reciprocity from similar systems/assets and advise from  the authorization official’s (AO’s) for tailoring the controls for the organization’s risk tolerance. This will ultimately save time not only in the control selection process but will also reduce the potential re-work required during assessment and continuous monitoring phases.  

3. Work towards FISMA Compliance 

Beyond the primary benefit of securing information systems and organizations, a well-implemented RMF process can also increase customer confidence in working with an organization. Additionally, as FISMA compliance is a U.S. federal requirement, it follows that federal organizations, as well as non-federal organizations that wish to do business with federal agencies, must also be compliant with all relevant FISMA requirements IAW NIST 800-171. One of the requirements for FISMA compliance is that security controls must be implemented in accordance with NIST 800-53. Therefore, by following NIST 800-53 for securing information systems, an organization is proactively working towards FISMA and NIST 800-171 compliance.  

4. Trustworthy and Updated Source 

The tools and processes used in modern information systems are quickly changing as technology advances. This rapid change also includes changing risks to information systems. Keeping up with the latest risks and associated control strategies is a challenging task. By utilizing NIST 800-53, an organization can leverage well-thought-out controls from a trustworthy source. Additionally, the NIST 800-53 catalog and profiles are regularly updated and is currently on its 5^th revision. These updates ensure the controls an organization implements are well suited to tackle current risks.  

NIST 800-53 Security Controls and Control Families 

NIST 800-53 organizes the security and privacy controls outlined in the catalog into groups by relation to specific topics or the type of control strategy. There are a total of 20 groups or “families” in the current catalog version (Rev. 5). This is an increase of 3 groups (PM, PT, & SR) from 17 groups in Rev.4. The new control families are highlighted below in bold. These families include base controls along with potential enhancements to these base controls. Table 1 shows the family ID, family name, and a few examples of the controls found within each family. Note that the examples shown in the table are just a few of the controls found within the families, as the catalog contains over 1100 controls (including baseline and enhancement controls).  

ID	Family Name	Examples
AC	Access Control	Policy and Procedures, Account Management, Access Enforcement
AT	Awareness and Training	Literacy Training and Awareness, Role-base Training
AU	Audit and Accountability	Event Logging, Audit Record Review, Analysis, and Reporting
CA	Assessment, Authorization, and Monitoring	Control Assessments, Information Exchange, Continuous Monitoring
CM	Configuration Management	Baseline Configuration, Configuration Change Control
CP	Contingency Planning	Contingency Training, Alternate Storage Site, System Recovery and Reconstitution
IA	Identification and Authentication	Identifier Management, Cryptographic Module Authentication
IR	Incident Response	Incident Response Training, Incident Handling, Incident Response Assistance
MA	Maintenance	Controlled Maintenance, Maintenance Tools, Timely Maintenance
MP	Media Protection	Media Access, Media Storage, Media Downgrading
PE	Physical and Environmental Protection	Physical Access Control, Access Control for Transmission, Monitoring Physical Access
PL	Planning	System Security and Privacy Plans, Rules of Behavior, Concept of Operations
PM	Program Management	Plan of Action and Milestones Process, System Inventory, Measures of Performance
PS	Personnel Security	Position Risk Designation, Personnel Screening, Personnel Transfer
PT	PII Processing and Transparency	Personally Identifiable Information Processing Purposes, Consent
RA	Risk Assessment	Security Categorization, Risk Assessment, Vulnerability Monitoring and Scanning
SA	System and Services Acquisition	Allocation of Resources, Acquisition Process, System Documentation
SC	System and Communications Protection	Separation of System and User Functionality, Security Function Isolation, Boundary Protection
SI	System and Information Integrity	Flaw Remediation, Malicious Code Protection, System Monitoring
SR	Supply Chain Risk Management	Supply Chain Controls and Processes, Provenance, Notification Agreements

Make Smarter Cybersecurity Decisions with IPKeys Technologies  

IPKeys Technologies can improve your cybersecurity programs with our innovative products and services, all designed to help you defeat modern cybersecurity threats. Our core competencies are developed under DoD-specific NIST Cybersecurity Risk Management Framework guidance. Cyber-Lab-as-a-Service (CLaaS) is our unified, AI-fueled RMF automation analytics and reporting platform that will help you make better cybersecurity decisions while staying NIST compliant.