Microsoft, Amazon, Walmart, and Boeing, to name just a few, use NIST 800-53, one of the most widely referenced and adopted cyber security control frameworks.
This standard is worth familiarizing yourself with if your job involves information security, especially for a large organization that handles sensitive information. But what is NIST 800-53?
This framework is much more detailed than some security frameworks you may have encountered (e.g., ISO/IEC 27001) and discusses the cataloging control types you should consider implementing.
In short, there’s a lot of information to absorb. But fear not: this guide will examine who it’s for, what it consists of, and how to achieve compliance.
Read on for the full lowdown to learn more.
What is NIST 800-53?
Here’s a rundown of why NIST 800-53 exists and what it aims to achieve.
Definition
National Institute of Standards and Technology (NIST) 800-53 is a security compliance framework created by the US government.
The standard is designed to provide organizations with a comprehensive framework of controls to manage risks linked to their information systems, improve their security posture, and ensure their information’s confidentiality, integrity, and availability.
History
NIST 800-53 resulted from the Federal Information Security Management Act (FISMA), which the US Congress passed in 2002.
After the government recognized the increasing sophistication and frequency of cyberattacks and security breaches, this legislation was designed to usher in much more robust measures to protect sensitive government data.
Before FISMA, different branches of government were largely left to their own devices in managing information security. The act established a consistent framework, ensuring all federal agencies followed common measures and best practices.
As part of this, the National Institute of Standards and Technology (NIST) was tasked with creating a set of security controls and guidelines to help agencies comply with FISMA requirements.
NIST 800-53 was the result and has become a catalog of security and privacy controls federal agencies must implement to protect their information systems.
The first version of NIST 800-53 was released in 2005. Since then, several revised versions have been released to keep pace with new threats and best practices. The most recent version (fifth revision) was released in 2020.
Applicability Beyond Federal Agencies
You may ask, “I don’t work for a federal agency. I don’t even work in the US. So what’s NIST 800-53 got to do with me?”
The standard provides comprehensive controls covering various areas, from granular technical measures to management best practices. This wide scope means that NIST 800-53’s influence has extended far beyond its original parameters.
Organizations serious about infosec best practices will often implement NIST 800-53 recommendations—in part or full—even if they’re not legally required.
What Is NIST 800-53 Rev. 5?
NIST 800-53 Rev. 5 is the standard’s most recent version, released in 2020. Changes of note compared to the previous version were as follows:
Title
The fifth version’s title is Security and Privacy Controls for Information Systems and Organizations. For the first time, there’s no mention of “Federal” in this title, a clear recognition that the guidance is relevant to all organizations—not just US government branches.
New Control Families
NIST 800-53 details over 1,000 information security controls organized into thematically linked “families.” Version 5 added two new families: “Personally Identifiable Information & Transparency” and “Supply Chain Risk Management.” There are now 20 control families in total (see below).
New Controls
NIST is always keen to ensure that the standard keeps up with new and emerging threats. As such, Version 5 contains new controls—and updates to existing ones—in areas such as IoT, mobile device security, and cloud computing.
Greater Emphasis on Privacy
Previously, privacy controls were set out in a separate appendix to the standard. In Rev. 5, privacy controls are integrated directly into the main control catalog. The objective is to encourage a comprehensive approach to managing security and privacy risks.
Separation Between the Control Selection Process and the Controls
Rev. 5 no longer includes detailed selection guidance for the controls within the standard. This reflects the wide applicability of NIST 800-53, effectively recognizing that different organizations may wish to implement their individualized processes for selecting controls more consistent with their business needs.
Why Is NIST 800-53 Valuable?
Certain organizations—mostly US-based—must comply with NIST 800-53. Alongside this, there are many other companies and organizations across the globe that choose to follow it. Read on to understand why.
Who Must Comply with NIST 800-53?
All US federal institutions must ensure their information systems comply with NIST 800-53.
Private contractors engaged with federal agencies who handle, process, store, or transmit federal information must also comply with the standard. This includes the following:
- Providers of IT services to federal agencies, including managed service providers and cloud service providers
- Defense contractors
- Healthcare providers, especially those involved with federal healthcare programs
- Financial services contractors
- Critical infrastructure providers
- Research institutions and educational establishments, especially those receiving federal funding or engaged in state-supported research
Voluntary Compliance: Benefits of Implementing NIST 800-53
Boosting your information security posture
One of the main reasons for following a standardized framework regarding information security is to ensure that nothing is missed. With more than a thousand controls, NIST 800-53 is thorough. Follow the standard, and you’ll be on the right track to closing security gaps and strengthening your posture.
Keeping up with best practice
One of the most useful aspects of NIST 800-53 is that it isn’t cast in stone. The standard is updated every few years to reflect new threats, technologies, and defensive techniques. Providing that you regularly review your security measures in light of new versions of the standard, you should be able to stay aligned with best practices.
Bidding for government contracts
What does the future have in store for your organization? Could it involve providing services to various arms of the US government? Becoming NIST 800-53 compliant could open the door to lucrative federal contracts that would otherwise be out of reach.
Creating a competitive edge
It isn’t just the US government that takes NIST 800-53 seriously; maybe your organization is one of several bidders for a contract with a major corporation. There’s no strict mandate to be NIST compliant. However, the corporation will look for indicators that bidders take information security seriously. The fact that you adhere to NIST 800-53 is a major plus point in your favor.
NIST 800-53 Controls and Key Components
Here’s a closer look at the controls covered in the standard and how they’re grouped and applied.
NIST 800-53 Control Families
NIST 800-53 controls are organized into the following control families (20 in total):
| Abbr. | Family name | Example controls |
|---|---|---|
| AC | Access Control | Access policies, automated inactivity logouts, access enforcement controls |
| AT | Awareness and Training | Security literacy training, role-specific training, practical exercises |
| AU | Audit and Accountability | Event logging, real-time alerting, audit record retention |
| CA | Assessment, Authorization, and Monitoring | Independent assessments, plan of action and set milestones, continuous monitoring |
| CM | Configuration Management | Development and test environments for baseline configuration, configuration change control, access restrictions for reconfigurations |
| CP | Contingency Planning | Contingency training, simulated events, alternative storage and processing sites |
| IA | Identification and Authentication | Multi-factor authentication, device identification, identify user status |
| IR | Incident Response | Automated response and incident handling processes, incident monitoring, incident reporting |
| MA | Maintenance | Restricted maintenance tool use, security clearance for maintenance personnel |
| MP | Media Protection | Controls to review, approve, track, document, and verify media materials |
| PE | Physical and Environmental Protection | Physical access controls, intrusion alarms, visitor access records |
| PL | Planning | System security and privacy plans, security and privacy architecture |
| PM | Program Management | System inventory, critical infrastructure plan, risk management strategy |
| PS | Personnel Security | Position risk designation, personnel screening, access agreements |
| PT | PII Processing and Transparency | Authority to process PII, consent, and privacy notices |
| RA | Risk Assessment | Security categorization, vulnerability monitoring, and scanning |
| SA | System and Services Acquisition | System development lifecycle management, system, component, and service configuration checks before acquisition |
| SC | System and Communications Protection | Separation of system and user functionality, denial-of-service protection, boundary protection |
| SI | System and Information Integrity | Flaw remediation, malicious code protection, system monitoring |
| SR | Supply Chain Risk Management | Supply chain risk management plan, provenance controls (e.g., identity, track and trace, supply chain integrity), notification agreements |
Baselines and the Selection of Controls
How do you select appropriate controls under NIST 800-53? The starting point is the baseline, a set of minimum security controls recommended for information systems, depending on their characteristics.
Here’s how it works.
Step 1: Establish the appropriate baseline
Systems are categorized based on the potential impact of a security breach on the organization’s operations, assets, and the individuals affected by a breach. This categorization considers the three information security principles: confidentiality, integrity, and availability.
There are three baseline levels. You can select the most appropriate one, depending on the impact levels:
- Low impact baseline: A breach of the system in question may reduce your organization’s performance effectiveness, but it should still be able to perform its primary functions. Damage to organizational assets, financial losses, and harm to individuals will likely be minor.
- Moderate impact baseline: A breach will likely cause significant degradation in organizational mission capability, damage to organizational assets, financial losses, and harm to individuals.
- High impact baseline: A breach would likely render the organization incapable of performing its primary functions. Other likely impacts may include major damage to organizational assets, financial loss, and severe harm to individuals.
Step 2: Identify the appropriate baseline controls
A companion publication, NIST Special Publication (SP) 800-53B Control Baselines for Information Systems and Organizations, enables you to identify the security and privacy controls required for the appropriate baseline.
You can review each “control family” and select the appropriate controls depending on the relevant baseline. As an example, here’s the baseline information from NIST SP 800-53 for the control family, CA – Assessment, Authorization, and Monitoring:
The privacy control baseline will apply if a system breach will impact personal information. This means the following baseline controls will apply:
- CA-1 Policy and Procedures
- CA-2 Control Assessments
- CA-5 Plan of Action and Milestones
- CA-6 Authorization
- CA-7 Continuous Monitoring
- CA-7(4) Risk Monitoring
If you have identified a low-impact baseline for the information system in question, all of the controls relevant to the privacy control baseline will apply, in addition to the following controls:
- CA-3 Information Exchange
- CA-9 Internal System Connections
If you have identified a moderate impact baseline for the system, all of the controls detailed above will apply, in addition to the following:
- CA7(1) Continuous Monitoring – Independent Assessment
If you have identified a high-impact baseline, all of the controls detailed above will apply, in addition to the following:
- CA-3(6) Transfer Authorizations
- CA-8 Penetration Testing
- CA-8(1) Independent Penetration Testing Agent or Team
Step 3: Tailor your baseline
Remember that your baseline is just a starting point. After identifying the most appropriate controls using the methodology above, you can tailor or supplement them to reflect your specific needs and environment.
To illustrate this, we’ll use the example of the Assessment, Authorization, and Monitoring family again.
Let’s say you’ve applied a high-impact baseline. Your initial scoping has highlighted that Penetration Testing (CA-8) will be an appropriate control. However, an evaluation of recent routine penetration testing activities suggests they fail to identify vulnerabilities.
An additional control, e.g., CA-8(2) Red Team Exercises, may be appropriate.
Step 4: Continuous Monitoring
After implementation, you should monitor and review the effectiveness of the controls you’ve selected. You should make adjustments as necessary to respond to changing threats and organizational needs.
NIST 800-53 Checklist and Controls
To help you document your compliance efforts and ensure everything is noticed, visit the NIST website and export their complete controls list.
Who Uses NIST 800-53?
Here are some sectors, information security, and cyber security roles where a working knowledge of the NIST 800-53 standard is especially relevant and valuable.
Sectors where NIST 800-53 is commonly applied
- Public Administration
- Healthcare
- Financial
- Defense
- Education and Research
- IT Services
- Critical Infrastructure
- Cloud Storage
- Software Development
Job roles where knowledge of NIST 800-53 is especially useful
- Chief Information Security Officer (CISO)
- Compliance Officer
- Data Protection Officer
- Information Security Analyst
- Cyber Security Analyst
- Security Architect
- System Administrator
- Penetration Tester
How to Implement NIST 800-53?
Here are our tips for conducting your NIST 800-53 compliance exercise and staying compliant.
Record Keeping
No formal certification process is required for an organization to become NIST 800-53-compliant.
However, if, for example, you’re bidding for a contract with a federal agency or corporation that stipulates NIST 800-53 compliance as a requirement, that organization will expect you to provide proof of compliance.
Ensure your gap analysis (see below) and all other implementation elements are recorded and transparent.
Gap Analysis
Gather detailed information about security controls, policies, and practices. Compare your current state against the requirements referenced in NIST 800-53. Identify those gaps where current practices and measures do not meet the required standards.
Prioritization
Assess the risks associated with each gap, considering the potential severity of any impact and the likelihood of exploitation. Prioritize these gaps based on severity.
Remediation Plan
Create a plan to address the identified gaps. This should include specific actions, timelines, required resources, and responsible parties.
Monitoring and Review
Monitor the progress of remediation efforts and adjust the plan to address any new issues. Post-implementation, periodically review your security posture and conduct a follow-up gap analysis to maintain continuous improvement.
Conclusion
NIST 800-53 is one of the most respected standards out there.
As such, even if your organization is not subject to NIST compliance mandates, it’s certainly worth considering adopting the NIST 800-53 framework to enhance security, standardize your practices, and boost your reputation in the eyes of potential customers.
Are you ready to confidently decide about information security framework selection and program implementation? Advanced accreditations in information security governance can be extremely valuable in boosting your knowledge and career prospects in this area.
Join the StationX Accelerator program for over 1,000 courses and labs, practice tests, a custom certification roadmap, mastermind groups, and everything you need to excel in a cyber security career.
Frequently Asked Questions
Level Up in Cyber Security: Join Our Membership Today!
