What is NIST SP 800-53?

Data Security Knowledge Base

Definition and Tips for NIST SP 800-53 Compliance

Text

NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. The NIST is a non-regulatory agency of the U.S. Commerce Department and was established to encourage and assist innovation and science through the promotion and maintenance of a set of industry standards. NIST SP 800-53 is a set of standards and guidelines to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA).

Another part of NIST’s remit is to develop Federal Information Processing Standards (FIPS) alongside FISMA. To help federal agencies meet these standards, the NIST publishes guidance documents under its Special Publications (SP) 800 series. The 800 series reports on the Information Technology Laboratory’s (ITL) research and guidelines. NIST SP 800-53 deals with the security controls or safeguards for federal information systems and organizations.

The Purpose of NIST SP 800-53

Text

The SP 800-53 guidelines were created to heighten the security of the information systems used within the federal government. The guidelines themselves apply to any component of an information system that stores, processes, or transmits federal information. The most recent update to the guidelines was Revision 4 in April 2013 by the Joint Task Force Transformation Initiative Interagency Working Group, part of an ongoing information security partnership among the U.S. Department of Defense, the Intelligence Community, the Committee on National Security Systems, the Department of Homeland Security, and U.S. federal civil agencies.

The guidelines are revised in accordance with the evolving nature of information security and cover areas like mobile and cloud computing, insider threats, application security, and supply chain security.

NIST SP 800-53 Explained

Text

The NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.

NIST guidelines adopt a multi-tiered approach to risk management through control compliance. SP 800-53 works alongside SP 800-37, which was developed to provide federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 focuses on the controls which can be used along with the risk management framework outlined in 800-37.

The controls are broken into 3 classes based on impact – low, moderate, and high – and split into 18 different families. The NIST SP 800-53 security control families are:

Access Control

Audit and Accountability

Awareness and Training

Configuration Management

Contingency Planning

Identification and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical and Environmental Protection

Planning

Program Management

Program Management

Risk Assessment

Security Assessment and Authorization

System and Communications Protection

System and Information Integrity

System and Services Aquisition

Text

NIST SP 800-53 also introduces the concept of security control baselines as a starting point for the security control selection process. These baselines outline a number of key considerations like operational and functional needs as well as the most common types of threats facing information systems. A tailoring process is outlined too to help organizations select only those controls appropriate to the requirements of the information systems in use within their environment.

The Benefits of NIST SP 800-53

Text

Compliance with NIST SP 800-53 and other NIST guidelines brings with it a number of benefits. NIST 800-53 compliance is a major component of FISMA compliance. It also helps to improve the security of your organization’s information systems by providing a fundamental baseline for developing a secure organizational infrastructure. It is important to note, however, that simply following the guidelines laid down by NIST should not be the extent of an organization’s security program. While NIST SP 800-53 compliance is a great starting place, the NIST guidelines themselves recommend that you should assess all your data and rank which is most sensitive in order to further develop your security program.

NIST SP 800-53 Compliance Best Practices

Analyze:

The first step in NIST compliance is understanding. You need to understand the threats facing your data and information systems as well as where they are currently at risk. Using solutions that can automate the monitoring of NIST 800 series compliance is a good place to start. The leading solutions in this space analyze and protect regulated data such as PII, PHI, and PCI.