What is NIST SP 800-53?
NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. The NIST is a non-regulatory agency of the U.S. Commerce Department and was established to encourage and assist innovation and science through the promotion and maintenance of a set of industry standards. NIST SP 800-53 is a set of standards and guidelines to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA).
Another part of NIST’s remit is to develop Federal Information Processing Standards (FIPS) alongside FISMA. To help federal agencies meet these standards, the NIST publishes guidance documents under its Special Publications (SP) 800 series. The 800 series reports on the Information Technology Laboratory’s (ITL) research and guidelines. NIST SP 800-53 deals with the security controls or safeguards for federal information systems and organizations.
The Purpose of NIST SP 800-53
The SP 800-53 guidelines were created to heighten the security of the information systems used within the federal government. The guidelines themselves apply to any component of an information system that stores, processes, or transmits federal information. The most recent update to the guidelines was Revision 4 in April 2013 by the Joint Task Force Transformation Initiative Interagency Working Group, part of an ongoing information security partnership among the U.S. Department of Defense, the Intelligence Community, the Committee on National Security Systems, the Department of Homeland Security, and U.S. federal civil agencies.
The guidelines are revised in accordance with the evolving nature of information security and cover areas like mobile and cloud computing, insider threats, application security, and supply chain security.
NIST SP 800-53 Explained
The NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.
NIST guidelines adopt a multi-tiered approach to risk management through control compliance. SP 800-53 works alongside SP 800-37, which was developed to provide federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 focuses on the controls which can be used along with the risk management framework outlined in 800-37.
The controls are broken into 3 classes based on impact – low, moderate, and high – and split into 18 different families. The NIST SP 800-53 security control families are:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical and Environmental Protection
- Planning
- Program Management
- Risk Assessment
- Security Assessment and Authorization
- System and Communications Protection
- System and Information Integrity
- System and Services Aquisition
NIST SP 800-53 also introduces the concept of security control baselines as a starting point for the security control selection process. These baselines outline a number of key considerations like operational and functional needs as well as the most common types of threats facing information systems. A tailoring process is outlined too to help organizations select only those controls appropriate to the requirements of the information systems in use within their environment.
The Benefits of NIST SP 800-53
Compliance with NIST SP 800-53 and other NIST guidelines brings with it a number of benefits. NIST 800-53 compliance is a major component of FISMA compliance. It also helps to improve the security of your organization’s information systems by providing a fundamental baseline for developing a secure organizational infrastructure. It is important to note, however, that simply following the guidelines laid down by NIST should not be the extent of an organization’s security program. While NIST SP 800-53 compliance is a great starting place, the NIST guidelines themselves recommend that you should assess all your data and rank which is most sensitive in order to further develop your security program.
NIST SP 800-53 Compliance Best Practices
- Analyze: The first step in NIST compliance is understanding. You need to understand the threats facing your data and information systems as well as where they are currently at risk. Using solutions that can automate the monitoring of NIST 800 series compliance is a good place to start. The leading solutions in this space analyze and protect regulated data such as PII, PHI, and PCI.
- Educate: You should educate your employees about the steps they need to take to become NIST compliant. In particular there are a number of management controls laid out in NIST 800-53 that your management team should be aware of. Similarly, your operations leadership should be made aware of the operational controls listed. Elsewhere, there are software solutions that can help you to train your employees in real time on the latest security requirements and best practices. These prompts can keep users on their toes and eliminate those careless actions that threaten organizational security.
- Assess: Lots of companies talk about how seriously they take data and information security, but, if you have no way to measure your security policies and processes, how can you improve on them? You should deploy tools that provide a mechanism to measure and assess your security processes. Then, you will be able to continuously iterate and improve your security standards against the continuously evolving threats out there.
Further Reading on NIST SP 800-53:
- Achieve FISMA Compliance Through Continuous Monitoring
- Defense Department Adopts NIST Security Standards
- Putting Privacy And Security Side By Side
NIST image via NBC News/U.S. Commerce Department
