The NIST 800-53 standard offers solid guidance for how organizations should select and maintain customized security and privacy controls for their information systems. NIST SP 800-53 Revision 5 is one of many compliance documents you need to familiarize yourself with if you are working with information technology.
This post breaks it down for you into digestible pieces that emphasize the standard’s practical meaning and application.
What is NIST 800-53?
NIST 800-53 is a security compliance standard created by the U.S. Department of Commerce and the National Institute of Standards in Technology in response to the rapidly developing technological capabilities of national adversaries. It compiles controls recommended by the Information Technology Laboratory (ITL).
NIST 800-53 is mandatory for all U.S. federal information systems except those related to national security, and is technology-neutral. However, its guidelines can be adopted by any organization operating an information system with sensitive or regulated data. It provides a catalog of privacy and security controls for protecting against a variety of threats, from natural disasters to hostile attacks.
The standard has evolved to integrate privacy and security controls and to promote integration with other cybersecurity and risk management approaches. In particular, it fits into the scope of the Federal Information Processing Standards (FIPS); FIPS requires that organizations implement a minimum baseline of security controls as defined in NIST 800-53. The NIST standard also helps organizations comply with the Federal Information Security Modernization Act (FISMA), which details security and privacy guidelines as part of administering federal programs.
As information infrastructure continues to expand and integrate, the need to build privacy and security into every application grows too, regardless of whether it is a federal or private system. With the comprehensive set of controls and guidelines in NIST 800-53, private organizations do not need to re-invent the wheel to maintain cybersecurity.
What is the goal of NIST 800-53?
The goal of the security and privacy standard is threefold:
- To provide a comprehensive and flexible catalog of controls for current and future protection based on changing technology and threats
- To develop a foundation for assessing techniques and processes for determining control effectiveness
- To improve communication across organizations via a common lexicon for discussion of risk management concepts
The controls established by NIST Special Publication (SP) 800-53 are designed to improve risk management for any organization or system that processes, stores or transmits information.
Who must comply with NIST 800-53?
The standard is mandatory for federal information systems, organizations and agencies. Any organization that works with the federal government is also required to comply with NIST 800-53 to maintain the relationship.
However, the standard provides a solid framework for any organization to develop, maintain and improve their information security practices, including state, local and tribal governments and private companies, from SMBs to enterprises.
What are the benefits of NIST 800-53?
The most significant benefit of the standard is more secure information systems. Private organizations voluntarily comply with NIST 800-53 because its 18 control families help them meet the challenge of selecting the appropriate basic security controls, policies and procedures to protect information security and privacy.
In addition, it encourages you to analyze each security and privacy control you select to ensure its applicability to your infrastructure and environment. This customization process helps ensure not just security and compliance, but business success. It promotes consistent, cost-effective application of controls across your information technology infrastructure.
Finally, following NIST 800-53 guidelines helps you build a solid foundation for compliance with other regulations and programs like HIPAA, DFARS, PCI DSS and GDPR.
What data does NIST SP 800-53 protect?
While the standard does not provide a list of specific information types, it does offer recommendations for classifying the types of data your organization creates, stores and transmits. For example, one classification might be “protected”; this data could include customer names, birth dates and Social Security numbers.
NIST 800-53 Security Controls
NIST 800-53 offers a catalog of security and privacy controls and guidance for selection. Each organization should choose controls based on the protection requirements of its various content types. This requires a careful risk assessment and analysis of the impact of incidents on different data and information systems. FIPS 199 defines three impact levels:
- Low — Loss would have limited adverse impact.
- Moderate — Loss would have a serious adverse impact.
- High — Loss would have a catastrophic impact.
Security and Control Families
NIST 800-53 controls are allocated into the following 20 families:
| ID | Family Name | Examples of Controls |
| AC | Access Control | Account management and monitoring; least privilege; separation of duties |
| AT | Awareness and Training | User training on security threats; technical training for privileged users |
| AU | Audit and Accountability | Content of audit records; analysis and reporting; record retention |
| CA | Assessment, Authorization, and Monitoring | Connections to public networks and external systems; penetration testing |
| CM | Configuration Management | Authorized software policies, configuration change control |
| CP | Contingency Planning | Alternate processing and storage sites; business continuity strategies; testing |
| IA | Identification and Authentication | Authentication policies for users, devices and services; credential management |
| IP | Individual Participation | Consent and privacy authorization |
| IR | Incident Response | Incident response training, monitoring and reporting |
| MA | Maintenance | System, personnel and tool maintenance |
| MP | Media Protection | Access, storage, transport, sanitization, and use of media |
| PA | Privacy Authorization | Collection, use and sharing of personally identifiable information (PII) |
| PE | Physical and Environment Protection | Physical access; emergency power; fire protection; temperature control |
| PL | Planning | Social media and networking restrictions; defense-in-depth security architecture |
| PM | Program Management | Risk management strategy; insider threat program; enterprise architecture |
| PS | Personnel Security | Personnel screening, termination and transfer; external personnel; sanctions |
| RA | Risk Assessment | Risk assessment; vulnerability scanning; privacy impact assessment |
| SA | System and Services Acquisition | System development lifecycle; acquisition process; supply chain risk management |
| SC | System and Communications Protection | Application partitioning; boundary protection; cryptographic key management |
| SI | System and Information Integrity | Flaw remediation; system monitoring and alerting |
Tips for NIST 800-53 Compliance
The following best practices will help you select and implement appropriate security and privacy controls for NIST SP 800-53 compliance.
- Identify your sensitive data. Find out what kind of data your organization deals with, where it is stored, and how it is received, maintained and transmitted. Sensitive data can be spread across multiple systems and applications; it is not necessarily only where you think it is.
- Classify sensitive data. Categorize and label your data according to its value and sensitivity. Assign each information type an impact value (low, moderate or high) for each security objective (confidentiality, integrity and availability), and categorize it at the highest impact level. Consult FIPS 199 for appropriate security categories and impact levels that relate to your organizational goals, mission and business success. Automate discovery and classification to streamline the process and ensure consistent, reliable results.
- Evaluate your current level of cybersecurity with a risk assessment. At a high level, risk assessment involves identifying risks, assessing the probability of their occurrence and their potential impact, taking steps to remediate the most serious risks, and then assessing the effectiveness of those steps.
- Document a plan to improve your policies and procedures. Select controls based on your specific business needs. The extent and rigor of the selection process should be proportional to the impact level of the risk being mitigated. Document your plan and the rationale for each chose of control and policy.
- Provide ongoing employee training. Educate all employees on access governance and cybersecurity best practices, such as how to identify and report malware.
- Make compliance an ongoing process. Once you have brought your system into compliance with NIST 800-53, maintain and improve your compliance with regular system audits, especially after a security incident.
Conclusion
All federal agencies and organizations must comply with NIST 800-53, and if you deal with them, you will need to be in compliance as well. Compliance is not a requirement for organizations that do not do business with the federal government, but meeting the standard will help you establish a strong foundation for compliance with a broad range of other regulations, such as HIPAA and GDPR, so you won’t need to re-invent the wheel each time.
FAQ
- What is the NIST 800 series?
The NIST 800 series is a set of documents that describe United States federal government policies, procedures and guidelines for information system security.
- What is NIST 800-53?
NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. It defines the minimum baseline of security controls required by the Federal Information Processing Standard (FIPS).
- What is the purpose of NIST 800-53?
NIST 800-53 helps organizations of all types properly architect and manage their information security systems and comply with the Federal Information Security Modernization Act (FISMA). It offers an extensive catalog of controls to strengthen security and privacy.
- How many controls are outlined in NIST 800-53?
NIST 800-53 has 20 families of controls comprised of over 1,000 separate controls. Each family is related to a specific topic, such as access control.
- What is the current version of NIST 800-53?
NIST 800-53 Revision 5 was published in September 2020.
- Who must comply with NIST 800-53?
NIST 800-53 is mandatory only for federal information systems across all agencies and organizations. However, the guidelines are very useful for state, local and tribal governments and private companies as well.
