NIST 800-53 Assessment

WHAT IS IT?

NIST 800-53 (also known as NIST Special Publication 800-53), is a publication that recommends security controls for federal information systems and organizations. It documents security controls for all federal information systems, except those designed for national security. More specifically, it pertains to the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. The security controls consist of 18 families, which include access control, configuration management, incident response, and system and information integrity.

The NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.

NIST guidelines adopt a multi-tiered approach to risk management through control compliance. SP 800-53 works alongside SP 800-37, which was developed to provide federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 focuses on the controls which can be used along with the risk management framework outlined in 800-37.

The controls are broken into 3 classes based on impact – low, moderate, and high – and split into 18 different families. The NIST SP 800-53 security control families are:

Access Control
Audit and Accountability
Awareness and Training
Configuration Management
Contingency Planning
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security

Physical and Environmental Protection
Planning
Program Management
Risk Assessment
Security Assessment and Authorization
System and Communications Protection
System and Information Integrity
System and Services Acquisition

NIST SP 800-53 also introduces the concept of security control baselines as a starting point for the security control selection process. These baselines outline a number of key considerations like operational and functional needs as well as the most common types of threats facing information systems. A tailoring process is outlined too to help organizations select only those controls appropriate to the requirements of the information systems in use within their environment.

BENEFITS OF NIST 800-53

Compliance with NIST SP 800-53 and other NIST guidelines brings with it a number of benefits. NIST 800-53 compliance is a major component of FISMA compliance. It also helps to improve the security of your organization’s information systems by providing a fundamental baseline for developing a secure organizational infrastructure. It is important to note, however, that simply following the guidelines laid down by NIST should not be the extent of an organization’s security program. While NIST SP 800-53 compliance is a great starting place, the NIST guidelines themselves recommend that you should assess all your data and rank which is most sensitive in order to further develop your security program.