What is NIST?
The National Institute of Standards and Technology (NIST) is responsible for developing guidelines, cybersecurity standards and resources fit for the requirements of US industry, federal agencies and the general public.
However, NIST’s standards of best practice are applicable beyond the borders of the USA, and are valuable to a range of organisations around the world – whether working with US partners or otherwise.
NIST’s work encompasses both short-term, quick-to-implement practices and longer-term research projects catering for future challenges and technological developments.
What is NIST 800-53?
NIST 800-53 is a compliance framework and cybersecurity standard required for federal information systems, agencies, government contractors and departments that wish to work with the US government. Importantly, the framework also serves to ensure that third-party suppliers are taking steps to maintain security and reduce risk within their own organisations.
The framework is continuously updated and aims to define standards, controls and assessments for organisations based on risk, capabilities and cost-effectiveness.
NIST 800-53 Controls
NIST 800-53 features a list of controls created to support the development of resilient and secure federal information systems. The range of controls featured within NIST 800-53 are the operational, technical and management standards used by information systems to retain privacy and security. Discover the entire range of NIST 800-53 control families here.
Controls are categorised in three broad classes:
- High impact
- Medium impact
- Low impact
These classes reflect the potential impact of each risk.
There are 20 different security control families within the framework. Each organisation using NIST 900-53 may select the controls that are most applicable to them.
For organisations with limited resources, tackling 20 different control families may seem unrealistic. However, with the Hicomply platform, it's possible to prioritise activities with greater accuracy and visibility.
How to implement NIST 800-53
The Hicomply platform makes establishing your baseline controls, creating a security plan and monitoring control performance easy. Our NIST solution helps you walk through the requirements of the standard step-by-step, so that you are prepared for an audit and can achieve NIST 800-53 certification – whether it’s necessary for your organisation or not. Use our NIST 800-53 Audit Checklist to help prepare for a compliance audit.
What are the benefits of NIST 800-53?
The NIST framework is beneficial to organisations of all shapes, sizes and sectors because it represents a comprehensive approach to establishing controls that address the majority of risk factors that modern organisations face.
The NIST 800-53 framework also encourages organisations to establish a baseline that is designed to be improved upon over time. With a clear starting point or foundation to build upon, an organisation can then use the NIST 800-53 framework to identify the specific access controls that most urgently require attention (a risk-based approach) and those that are less important/time sensitive.
Who must comply with NIST 800-53?
Any federal information systems, agencies, government contractors and departments that work with US government need to be in compliance with NIST 800-53. This is to ensure that all federal institutions and the third-party organisations that they work with are secure.
What is the difference between NIST 800-53 and other frameworks?
NIST has more than 1,300 standard reference materials. However, the majority of the compliance frameworks fall under the NIST 800 series. Within the 800 series, each framework has slight variations.
For example, while NIST 800-53 concerns federal departments and their contractors that wish to work with the US government, NIST-171 is a set of compliance standards for non-federal departments that wish to work with the US government.
NIST frameworks also vary from industry-specific compliance standards like FISMA, HIPAA and SOX.
Additional information on the differences between NIST 800-53 and other frameworks can be found on our comparison pages:
- NIST 800-53 vs ISO 27001
- NIST 800-53 vs ISO 27002
- NIST 800-53 vs NIST CSF
- NIST 800-53 vs NIST 800-171
Additional NIST compliance resources
More information on NIST compliance standards can be found here:
Achieving NIST 800-53 compliance
While there is no NIST 800-53 certification, NIST compliance is mandatory for federal agencies and their vendors. NIST outlines nine steps to achieving FISMA compliance. These are:
- Categorise data and information that needs to be protected
- Create a baseline for minimum controls needed to protect that information
- Risk assess to refine baseline controls
- Create a written security plan documenting those baseline controls
- Deploy security controls to information systems
- Monitor the performance of controls once implemented
- Calculate risk based on assessment of the security controls
- Authorise your information system for processing
- Monitor security controls regularly.