CTO, Federal Services –
Ensuring the security of information systems is a complex but necessary task that virtually every modern organization must undertake to some degree or another. One effective method of tackling information system security is to use the Risk Management Framework (RMF) developed by the National Institute of Standard and Technology (NIST). Though this framework will help an organization walk through the critical steps in the process of establishing controls to mitigate information system risks, it does not directly instruct on what controls should be used to mitigate these risks. This is where NIST’s Special Publication 800-53 (also referred to as NIST 800-53) comes in. NIST 800-53 is a catalog published by NIST that provides security and privacy controls to mitigate risks to information systems. In this article we’ll describe why NIST 800-53 is important, explore the control systems outlined in NIST 800-53, and illustrate how federal agencies can leverage this catalog to protect their information systems.
What is NIST 800-53?
NIST 800-53 is a catalog of security and privacy controls with the purpose of protecting information systems. This catalog is published by NIST and all U.S federal information systems (aside from those related to national security) are required to be compliant with NIST standards and guidelines. NIST 800-53 works with the NIST RMF (NIST SP 800-37 rev 2) to support the steps in the process pertaining to the selection of initial baseline security controls, tailoring baseline security controls to specific risks, and supplementing security controls based on risk assessments.
Who is NIST 800-53 Mandatory for?
In accordance with the provisions of the Federal Information Security Modernization Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, all U.S. federal information systems must be compliant with NIST security standards and guidelines (including NIST 800-53). The only exception to this is information systems that have been designated as national security systems (NSS), which are governed by Committee on National Security Systems (CNSS) Instruction No. 1253. CNSS 1253 is a companion document to NIST SP 800-53. Therefore, NIST 800-53 is mandatory for federal information systems and NSS. NIST 800-171 mandates the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations. NIST 800-171 security requirements are derived primarily from the security controls in NIST 800-53. The NIST 800-53 Rev 5 regulations included the removal of the term “federal”, as an indication that these regulations may be utilized by non-federal organizations. The clear direction forward will be that NIST 800-53 will be mandatory for any organization or system that processes, stores, and/or transmits CUI or provides protection for such components.
4 Reasons Why NIST 800-53 Matters
Aside from mandatory compliance for federal organizations, there are a number of additional benefits to complying with NIST 800-53 that make it an attractive standard for information system security. In light of these benefits, even non-federal organizations may consider voluntarily complying with NIST 800-53 to secure their organization’s information systems. Below are 4 of the main benefits to any organization when utilizing NIST 800-53 in securing their information systems:
1. Increase Information System Security
Increasing the security of information systems and organizations is the most obvious benefit of utilizing NIST 800-53. This increase in security will protect organizations operations and assets, individuals, other organizations, and the Nation from diverse set of security threats and risks. A key step in the NIST RMF is the “Select” step, which selects controls to mitigate risks that were identified and categorized in previous steps. Leveraging the NIST 800-53 catalog in this step will not only provide robust baseline controls but the ability to supplement and tailor those controls to meet specific organizational needs. The controls outlined in the catalog are proven through practice, and proper implementation will undoubtedly improve the security of an organization’s information systems.
2. Save Time and Resources
Mitigating risks to information systems is not a trivial task. Designing, implementing, and monitoring the RMF process requires dedicated resources both for initial setup and ongoing maintenance and support. There may be a variety of methods available to mitigate a given risk, which can make selecting effective and efficient controls a significant challenge. By consulting the NIST 800-53 catalog, an organization can utilize predefined profiles, reciprocity from similar systems/assets and advise from
3. Work towards FISMA Compliance
Beyond the primary benefit of securing information systems and organizations, a well-implemented RMF process can also increase customer confidence in working with an organization. Additionally, as FISMA compliance is a U.S. federal requirement, it follows that federal organizations, as well as non-federal organizations that wish to do business with federal agencies, must also be compliant with all relevant FISMA requirements IAW NIST 800-171. One of the requirements for FISMA compliance is that security controls must be implemented in accordance with NIST 800-53. Therefore, by following NIST 800-53 for securing information systems, an organization is proactively working towards FISMA and NIST 800-171 compliance.
4. Trustworthy and Updated Source
The tools and processes used in modern information systems are quickly changing as technology advances. This rapid change also includes changing risks to information systems. Keeping up with the latest risks and associated control strategies is a challenging task. By utilizing NIST 800-53, an organization can leverage well-thought-out controls from a trustworthy source. Additionally, the NIST 800-53 catalog and profiles are regularly updated and is currently on its 5th revision. These updates ensure the controls an organization implements are well suited to tackle current risks.
NIST 800-53 Security Controls and Control Families
NIST 800-53 organizes the security and privacy controls outlined in the catalog into groups by relation to specific topics or the type of control strategy. There are a total of 20 groups or “families” in the current catalog version (Rev. 5). This is an increase of 3 groups (PM, PT, & SR) from 17 groups in Rev.4. The new control families are highlighted below in bold. These families include base controls along with potential enhancements to these base controls. Table 1 shows the family ID, family name, and a few examples of the controls found within each family. Note that the examples shown in the table are just a few of the controls found within the families, as the catalog contains over 1100 controls (including baseline and enhancement controls).
|AC||Access Control||Policy and Procedures, Account Management, Access Enforcement|
|AT||Awareness and Training||Literacy Training and Awareness, Role-base Training|
|AU||Audit and Accountability||Event Logging, Audit Record Review, Analysis, and Reporting|
|CA||Assessment, Authorization, and Monitoring||Control Assessments, Information Exchange, Continuous Monitoring|
|CM||Configuration Management||Baseline Configuration, Configuration Change Control|
|CP||Contingency Planning||Contingency Training, Alternate Storage Site, System Recovery and Reconstitution|
|IA||Identification and Authentication||Identifier Management, Cryptographic Module Authentication|
|IR||Incident Response||Incident Response Training, Incident Handling, Incident Response Assistance|
|MA||Maintenance||Controlled Maintenance, Maintenance Tools, Timely Maintenance|
|MP||Media Protection||Media Access, Media Storage, Media Downgrading|
|PE||Physical and Environmental Protection||Physical Access Control, Access Control for Transmission, Monitoring Physical Access|
|PL||Planning||System Security and Privacy Plans, Rules of Behavior, Concept of Operations|
|PM||Program Management||Plan of Action and Milestones Process, System Inventory, Measures of Performance|
|PS||Personnel Security||Position Risk Designation, Personnel Screening, Personnel Transfer|
|PT||PII Processing and Transparency||Personally Identifiable Information Processing Purposes, Consent|
|RA||Risk Assessment||Security Categorization, Risk Assessment, Vulnerability Monitoring and Scanning|
|SA||System and Services Acquisition||Allocation of Resources, Acquisition Process, System Documentation|
|SC||System and Communications Protection||Separation of System and User Functionality, Security Function Isolation, Boundary Protection|
|SI||System and Information Integrity||Flaw Remediation, Malicious Code Protection, System Monitoring|
|SR||Supply Chain Risk Management||Supply Chain Controls and Processes, Provenance, Notification Agreements|
Make Smarter Cybersecurity Decisions with IPKeys Technologies
IPKeys Technologies can improve your cybersecurity programs with our innovative products and services, all designed to help you defeat modern cybersecurity threats. Our core competencies are developed under DoD-specific NIST Cybersecurity Risk Management Framework guidance.
ICyber-Lab-as-a-Service (CLaaS) is our unified, AI-fueled RMF automation analytics and reporting platform that will help you make better cybersecurity decisions while staying NIST compliant.