Using The NIST Special Publications: 800-53

What is NIST Special Publication 800-53?

The NIST SP 800-53A revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, provides new assessment methods and procedures for online privacy and security. These procedures can be adjusted to fit individual needs. The revision 5 publication provides new assessment procedures for privacy and supply chain risk management. 

What is NIST SP 800-53 for and who does it apply to?

Following the security compliance standards provided in NIST SP 800-53 is required for all federal information systems except a federal agency that deals with national security risk (which will have its own security requirements for its system). 

There is no rule on who cannot apply these privacy control standards, so any organization or company looking to up their cybersecurity risk control is welcome to review the document and apply the security risk compliance standards to their system.

What is the purpose of NIST 800 documents?

The NIST 800 documents are a series of documents the NIST published regarding cybersecurity and the protection and privacy of computer systems. The NIST 800 documents include several guidelines, recommendations, assessments, technical specifications, and reports on cybersecurity privacy controls and methods. 

The NIST SP 800 documents were originally published specifically to protect United States Government's federal information systems. But, the publications are open to the public, and any organization is welcome to apply them to their own systems for better security control.

Most of the NIST SP 800 documents are related to cybersecurity risk management. These NIST risk management documents are informative and helpful for any CISO (Chief Information Security Officer) to apply to their systems. 

What is the difference between NIST 800-37 and NIST 800-53?

Several NIST 800 documents address risk management, but one of the most important is NIST 800-37. NIST SP 800-37 addresses how organizations can apply risk management framework (RMF) to their information systems. NIST SP 800-53 outlines other security controls for federal information systems. The two documents are meant to work together to provide the best security compliance guidelines for information systems.

What do I need to know about NIST RMF?

The Risk Management Framework (RMF) outlined in NIST special publication 800-37 is a set of cybersecurity risk management guidelines to implement in information systems to protect them. These RMF processes provide better privacy, security, and supply chain risk management. The RMF is a flexible setup and can be applied to any system.

The RMF has seven basic steps:

• Prepare your organization for security risk management. 

• Categorize information in the system through impact analysis.

• Select which guidelines you will implement from NIST SP 800-53 (based on your risk assessment).

• Implement controls.

• Assess controls are in place and operating correctly.

• Authorize the operation of the system.

• Continuous monitoring of the system and its security controls to ensure security requirements are met.

As you can see from these seven steps, NIST 800-37 and NIST 800-53 work closely together, and the risk management framework given in NIST 800-37 is meant to draw from the controls outlined in NIST 800-53.

What are NIST 800-53 standards?

The NIST SP 800-53 outlines several standards and procedures federal agencies must apply to their information systems to ensure the best cybersecurity and privacy.

One of the most important standards is the NIST cybersecurity framework (CSF), which outlines the NIST cybersecurity network. The NIST CSF has five main parts:

Identify

To build an accurate risk management system, you must identify and organize your assets and their respective risks compared to how essential they are to your organization. You can then begin building a supply chain risk management strategy.

Protect

Now you focus on protecting your identified assets from any potential cybersecurity threat. This proactive defense strategy will decrease cyber attacks on your data and minimize damage from attacks that do make it through. 

Detect

To protect your cyber assets, you must constantly monitor your system and your defense strategies to detect threats immediately to shorten response time, which will minimize the loss or damage of data.

Respond

Once you have detected a cyber threat, you must have a response strategy to refer to. A good incident response plan can shut down attacks quickly and save more data from the threat.

Recover 

Once the initial threat has been dealt with, you can focus on recovering data that can be saved and updating incident response plans and detection strategies for the future.

The NIST CSF focuses mainly on preparation and constant focus and monitoring of your systems to act quickly in the event of a cyber attack and minimize the potential damage to data from those attacks. 

NIST Compliance Requirements

Compliance with NIST 800-53 standards will ensure that your systems are running smoothly and are easy to assess for issues. Government risk and compliance are key to a system working as it should. 

Of course, only federal agencies and contractors are required to keep their information systems NIST compliant, but any organization will benefit from making their NIST compliant. 

NIST SP 800-53 lays out each minimum control it requires of federal systems and expects all federal agencies to have their systems updated within the year of the most recent update.

NIST 800-53 control families

Control families are collections of control systems that are all related and can be grouped under one topic. The NIST has laid out 20 control families:

Access Control (AC)

Awareness and Training (AT)

Audit and Accountability (AU)

Assessment, Authorization, and Monitoring (CA)

Configuration Management (CM)

Contingency Planning (CP)

Identification and Authentication (IA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Physical and Environmental Protection (PE)

Planning (PL)

Program Management (PM)

Personnel Security (PS)

Personally Identifiable Information Processing and Transparency (PT)

Risk Assessment (RA)

System and Services Acquisition (SA)

System and Communications Protection (SC)

System and Information Integrity (SI)

Supply Chain Risk Management (SR)

How can RiskRecon by Mastercard help you become NIST compliant?

Identify

RiskRecon provides visualization into your cyber environment. We view your

environment as would any hacker: looking for vulnerabilities that may exist

across the ecosystem.

Protect

With anomalous or improper cyber hygiene information detected, Riskrecon provides remedial actions that can be taken to deter cyber-attacks. These notifications and steps are aligned with and predicated on your cyber

policies.

Detect

RiskRecon provides an accurate, prioritized view of high-value assets that require remediation. Thus, creating efficiencies within the operating environment and reducing time spent on less critical issues or false positives.

Respond

When a vendor’s posture exceeds policies set by your organization, a notification is sent with recommended actions. Further, you can set a review schedule to track the progress the vendor has or has not made in addressing the issue.

Recover

With the recommended steps taken, RiskRecon can continuously monitor your environment to assess whether the ecosystem of vendors and suppliers are compliant with the standards you set, benchmark how well they are doing against their competitors, and check their own compliance against other governmental standards such as NIST, CMMC, and others.

To see the full NIST compliance power of RiskRecon, sign up for our 30-day trial.