NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations (NIST SP 800-53 or NIST 800-53), establishes an information security standard for the federal government.
Specifically, NIST 800-53 establishes security controls and privacy controls for federal information systems and organizations excluding those involved with national security.
The goal of NIST SP 800-53 is to protect operations, assets, individuals, organizations and the United States from a diverse set of cyber threats such as hostile attacks, human error and natural disasters.
The controls are written to be flexible and customizable to aid organizations in implementation.
Why is NIST SP 800-53 important?
NIST SP 500-53 is important because it provides a unified framework for information security. This means the United States Government has a common ad effective risk management framework (excluding agencies that deal with national security).
What is the purpose of NIST SP 800-53?
NIST SP 800-53 was created to provide guidelines that improve the security posture of information systems used within the federal government.
It does this by providing a catalog of controls that support the development of secure and resilient information systems. These controls are operational, technical and management safeguards that when used maintain the confidentiality, integrity and availability (CIA triad) of information systems.
The guidelines apply to any component of an information systems that stores, processes or transmits federal information.
The NIST 800 series provides a multi-tiered approach to risk management through control compliance. NIST SP 800-37 was developed to provide guidance on implementing risk management programs and is designed to work alongside NIST SP 800-53.
What are the benefits of NIST SP 800-53?
It also helps improve the security rating of your organization by providing a secure foundation for information systems.
Additionally, complying with NIST SP 800-53 and other best standards can help organizations improve their compliance with other data protection laws and regulations such as the SHIELD Act, LGPD, GDPR, CCPA, GLBA, PIPEDA, HIPAA, PCI DSS and 23 NYCRR 500.
That said, NIST SP 800-53 should not be the extent of your organization's security program.
What are the three classes of information systems in NIST SP 800-53?
NIST SP 800-53 applies the categorization method from the Federal Information Processing Standard (FIPS), breaking information systems into three classes:
NIST SP 800-53 also introduces the concept of security control baselines as a starting point for the security control selection process under these classes. This can help with prioritization and has similar motivations to CIS Controls.
What are the NIST SP 800-53 controls?
The security controls described in NIST SP 800-53 are organized into 18 families. Each family contains security controls related to the general security topic of the family. Security controls may involve aspects of policy, oversight, supervision, manual processes, actions by individuals or automated mechanisms implemented by information systems or devices.
The 18 security control families are:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessments and Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Personnel Security (PS)
- Risk Assessment (RA)
- Systems and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- Program Management (PM)
How does NIST SP 800-53 relate to FISMA?
The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framewrok to protect government information, operations and assets against natural and manmade threats including cyber attacks.
FISMA requires each federal government agencies, state agencies with federal programs and private-sector firms that support, sell to or receive services from the government to develop, document and implement risk-based information security controls based on the controls outlined in NIST SP 800-53.
Once organizations are able to demonstrate an effective information security program with established security and privacy controls they are awarded an Authority to Operate (ATO).
The ATO must be reassessed on an annual basis.
How does NIST SP 800-53 relate to FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is designed to enable easier contracting for federal agencies with cloud service providers.
Like FISMA, FedRAMP's controls are based off NIST 800-53.
The process of FedRAMP certification requires a third-party assessment organization (3PAO) to assess security controls of the cloud service provider.
This is done through a Security Assessment Plan (SAP), performing initial and periodic assessments of security controls and producing a Security Assessment Report (SAR).
These assets are then submitted to the Joint Authorization Board or an agency to review.
If authorized, cloud service providers are awarded an Authority to Operate (ATO) and are placed on the FedRAMP marketplace for other agencies to find services that meet their needs and security requirements.
The ATO is reviewed on an annual basis by the 3PAO or more frequently if there is any deviation requests or significant changes.
Who publishes NIST SP 800-53?
NIST SP 800-53 is published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the Department of Commerce.
NIST was set up to encourage and assist in innovation and science through the promotion and maintenance of a set of industry standards, such as the NIST Cybersecurity Framework.
NIST SP 800-53 is one of those standards and guidelines designed to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). NIST's other remit to develop Federal Information Processing Standards (FIPS).
When was NIST SP 800-53 last updated?
The most recent update was Revision 4 in April 2013 by the Joint Task Force Transformation Initiative Interagency Working Group, part of an ongoing information security partnership among the Department of Defense, the Intelligence Community, the Committee on National Security Systems, Homeland Security and federal civil agencies.
The guidelines were revised to keep up with changes in areas like mobile, cloud computing, insider threats, application security and vendor risk management.
What are the changes in NIST SP 800-53 Revision 5?
NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, had its final draft released in December 2018 with the final publication date set for March 2019.
You will notice Revision 5 has removed the word "federal" from the title to indicate the guidelines could be applied to any organization.
NIST believes this change will make the document more accessible to non-federal and private organizations, encouraging them to use the standards and guidelines.
The other large change that comes with Revision 5 is a much larger focus on privacy than its predecessors. Revision 4 aimed to bring privacy to the forefront of system design and implementation, however the privacy controls were segregated from the security controls.
Revision 5 has integrated privacy controls into the security controls catalog to create a unified set of controls for systems and organizations. This is likely driven by the increasing popularity of extraterritorial data protection laws like GDPR, PIPEDA, the SHIELD Act, LGPD and CCPA.
Other major changes include:
- Making security and privacy controls outcome-based by changing the structure of the controls
- Separation of the control selection process from the actual controls, allowing controls to be used by different groups such as systems engineers, software developers, enterprise architects and business owners
- Elimination of the term information system, replacing it with the term system so controls can be applied to any type of systems including general-purpose systems, cyber-physical systems, industrial/process control systems and IoT devices
- Promotion of integration with different risk management methodologies and cybersecurity approaches including the NIST Cybersecurity Framework
- Clarification between the relationship between security and privacy to improve the selection of controls needed to address the full scope of security and privacy risks
- Incorporation of new, state of the art controls based on threat intelligence and empirical data, including controls to strengthen cybersecurity, privacy governance and accountability
As of September 2019, Revision 5 is delayed due to a potential disagreement among the Office of Information and Regulatory Affairs (OIRA) and other U.S. agencies.
How UpGuard can help you continuously assess your security controls
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches and assess their security controls.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.