What is NIST?
The National Institute of Standards and Technology (NIST) is responsible for developing guidelines, cybersecurity standards and resources fit for the requirements of US industry, federal agencies and the general public.
However, NIST’s standards of best practice are applicable beyond the borders of the USA, and are valuable to a range of organisations around the world – whether working with US partners or otherwise.
NIST’s work encompasses both short-term, quick-to-implement practices and longer-term research projects catering for future challenges and technological developments.
What is NIST 800-53?
NIST 800-53 is a compliance framework and cybersecurity standard required for federal information systems, agencies, government contractors and departments that wish to work with the US government. Importantly, the framework also serves to ensure that third-party suppliers are taking steps to maintain security and reduce risk within their own organisations.
The framework is continuously updated and aims to define standards, controls and assessments for organisations bases on risk, capabilities and cost-effectiveness.
NIST 800-53 features a list of controls created to support the development of a resilient and secure federal information systems. The range of controls featured within NIST 800-53 are the operational, technical and management standards used by information systems to retain privacy and security.
Controls are categorised in three broad classes:
- High impact
- Medium impact
- Low impact
These classes reflect the potential impact of each risk.
There are 20 different security control families within the framework. Each organisation using NIST 900-53 may select the controls that are most applicable to them.
NIST 800-53 Controls
AC – Access Control
25 controls covering activities such as policies and procedures, account management, separation of duties and the policy of least privilege.
AT – Awareness and Training
6 controls covering awareness and security training across all employees, as well as more technical training for privileged users.
AU – Audit and Accountability
16 controls addressing the auditing and retention of records, as well as associated analysis, review and reporting.
CA – Assessment, Authorisation and Monitoring
9 controls relating to penetration testing, monitoring of network connections and monitoring of external systems.
CM – Configuration Management
14 controls covering configuration change, data action mapping and setting software policies.
CP – Contingency Planning
13 controls relating to the creation, testing and implementation of business continuity strategies, as well as alternative solutions for data processing and storage.
IA – Identification and Authentication
12 controls addressing the management of credentials, implementation of authentication policies and creation of systems for users, devices and services.
IR – Incident Response
10 controls for establishing incident response education and training, as well as associated monitoring systems and reporting processes.
MA – Maintenance
7 controls relating to the ongoing maintenance of systems, personnel and tools.
MP – Media Protection
8 controls on securing and protecting the access, use, storage and transportation of media.
PE – Physical and Environmental Protection
23 controls relating to protection against physical risk and damage, including access to emergency power and securing physical access in an incident.
PL – Planning
11 controls for putting strategies in place to maintain a comprehensive security architecture, including impact assessments, activity planning and rules of behaviour.
PM – Programme Management
32 controls dedicated to defining strategies for risk management, and insider threats, as well as scaling architecture.
PS – Personnel Security
9 controls for addressing requirements for screening personnel (both internal and external), transferring personnel and terminating personnel, as well as position risk designation.
PT – Personally Identifiable Information Processing and Transparency
8 controls addressing the creation of privacy notices, achieving consent and processing personally identifiable information.
RA – Risk Assessment
10 controls relating to vulnerability scanning, risk assessments and ongoing privacy impact.
SA – System and Services Acquisition
23 controls for the acquisition process, allocation of resources and system development lifecycle, among others.
SC – System and Communications Protection
51 controls addressing activities such as the partition of applications, securing passwords and cryptographic key management.
SI – System and Information Integrity
23 controls relating to the implementation of system monitoring, alerting systems, spam protection and flaw remediation processes.
SR – Supply Chain Risk Management
12 controls covering supplier assessments and reviews, risk management plans notification agreements and the inspection of systems or components.
For organisations with limited resources, tackling 20 different control families may seem unrealistic. However, with the Hicomply platform, it's possible to prioritise activities with greater accuracy and visibility.
How can Hicomply help you achieve NIST 800-53 compliance?
The Hicomply platform makes establishing your baseline controls, creating a security plan and monitoring control performance easy. Our NIST solution helps you walk through the requirements of the standard step-by-step, so that you are prepared for an audit – whether it’s necessary for your organisation or not.
What are the benefits of NIST 800-53?
The NIST framework is beneficial to organisations of all shapes, sizes and sectors because it represents a comprehensive approach to establishing controls that address the majority of risk factors that modern organisations face.
The framework also encourages organisations to establish a baseline that is designed to be improved upon over time. With a clear starting point or foundation to build upon, an organisation can then use the framework to identify the specific access controls that most urgently require attention (a risk-based approach) and those that are less important/time sensitive.
Achieving NIST 800-53 compliance
NIST outlines nine steps to achieving FISMA compliance. These are:
- Categorise data and information that needs to be protected
- Create a baseline for minimum controls needed to protect that information
- Risk assess to refine baseline controls
- Create a written security plan documenting those baseline controls
- Deploy security controls to information systems
- Monitor the performance of controls once implemented
- Calculate risk based on assessment of the security controls
- Authorise your information system for processing
- Monitor security controls regularly.