NIST 800-53
NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. The NIST is a non-regulatory agency of the U.S. Commerce Department and was established to encourage and assist innovation and science through the promotion and maintenance of a set of industry standards. NIST SP 800-53 is a set of standards and guidelines to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA).
Another part of NIST’s remit is to develop Federal Information Processing Standards (FIPS) alongside FISMA. To help federal agencies meet these standards, the NIST publishes guidance documents under its Special Publications (SP) 800 series. The 800 series reports on the Information Technology Laboratory’s (ITL) research and guidelines. NIST SP 800-53 deals with the security controls or safeguards for federal information systems and organizations.
THE PURPOSE OF NIST SP 800-53
The SP 800-53 guidelines were created to heighten the security of the information systems used within the federal government. The guidelines themselves apply to any component of an information system that stores, processes, or transmits federal information. The most recent update to the guidelines was Revision 4 in April 2013 by the Joint Task Force Transformation Initiative Interagency Working Group, part of an ongoing information security partnership among the U.S. Department of Defense, the Intelligence Community, the Committee on National Security Systems, the Department of Homeland Security, and U.S. federal civil agencies.
The guidelines are revised in accordance with the evolving nature of information security and cover areas like mobile and cloud computing, insider threats, application security, and supply chain security.
NIST SP 800-53 EXPLAINED
The NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.
NIST guidelines adopt a multi-tiered approach to risk management through control compliance. SP 800-53 works alongside SP 800-37, which was developed to provide federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 focuses on the controls which can be used along with the risk management framework outlined in 800-37.
The controls are broken into 3 classes based on impact – low, moderate, and high – and split into 18 different families. The NIST SP 800-53 security control families are:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical and Environmental Protection
- Planning
- Program Management
- Risk Assessment
- Security Assessment and Authorization
- System and Communications Protection
- System and Information Integrity
- System and Services Acquisition
NIST SP 800-53 also introduces the concept of security control baselines as a starting point for the security control selection process. These baselines outline a number of key considerations like operational and functional needs as well as the most common types of threats facing information systems. A tailoring process is outlined too to help organizations select only those controls appropriate to the requirements of the information systems in use within their environment.
CS360 can help organizations understand NIST compliance, educate about the steps they need to take to become NIST compliant and provide a mechanism to measure and assess an organization’s security processes.