NIST SP 800-53: Security and Privacy Controls for Federal Information Systems & Organizations

NIST SP 800-53 is a guide developed by the Joint Task Force Transformation Initiative Interagency Working Group specifically focused on security controls, mandated by the Federal Information Security Management Act (FISMA). This working group is an ongoing information security partnership among the U.S. Department of Defense, the Intelligence Community, the Committee on National Security Systems, the Department of Homeland Security, and U.S. federal civil agencies.

Special publication NIST 800-53 focuses on ‘Controls’ to underpin security best practices for anyone operating Federal Information Systems, although IT related to National Security are covered separately. These guidelines mandate the need for periodic testing and evaluation of the security controls federal agencies need to put in place.

NIST 800-171 guidance focuses on the protection of Controlled Unclassified Information (CUI). Protecting CUI while residing in nonfederal information systems and organizations is of utmost important to federal agencies and can have a direct impact on the federal government’s ability to successfully carry out its designated missions and everyday operations.

NIST places a strong emphasis on ‘Software, Firmware and Information Integrity’, and ‘Configuration Management Policy and Procedures’:

  • Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications.
  • State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

The latest version of NIST 800-53 Version 4 places a greater emphasis on:

  • Insider Threats
  • Software Application & Web Application Security
  • Social Networking, Mobiles Devices, and Cloud Computing
  • Advanced Persistent Threats
  • Supply Chain Security
  • Industrial/Process Control Systems
  • Privacy

NIST

NNT Change Tracker uses a continuous monitoring approach to provide integrity verification in real-time, providing audit trail evidence and alerts in line with SP 800-53 controls. In addition, Configuration Management Policy and Procedure Controls can be provided using Change Tracker Compliance Reports and Planned Change operation to ensure only approved changes are made and any configuration drift is highlighted, with Who Made the Change and Remediation instructions provided as standard.

The United States Government Configuration Baseline - USGCB and FDCC Configuration Baselines

USGCB and FDCC Configuration Baselines

The USGCB supersedes the original FDCC and provides recommended configuration build-standards primarily to safeguard security. The security checklists formulated are published in the National Vulnerability Database (see http://web.nvd.nist.gov/view/ncp/repository)

“The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security” source http://usgcb.nist.gov/

The USGCB supersedes the original FDCC and provides recommended configuration build-standards primarily to safeguard security. The security checklists formulated are published in the National Vulnerability Database (see http://web.nvd.nist.gov/view/ncp/repository)

Importantly the USGCB is always positioned as a recommendation for security settings but that each Agency is invited to implement a build standard with security settings that go beyond the USGCB. NNT Change Tracker Enterprise can directly utilize the OVAL and SCAP content from the NVD, providing an easy to use and highly affordable means to automatically audit devices for compliance with USGCB build standards. Reporting and monitoring templates are simple to modify where extended build standard requirements need to be incorporated.

Better still, Change Tracker will then continuously operate NIST 800-53 controls for ‘Software, Firmware and Information Integrity’, and ‘Configuration Management Policy and Procedures’. In addition, NNT Change Tracker is one of only a few products that have been Certified by the Center For Internet security for reliably and accurately auditing CIS Benchmark checklists.

How NNT Interacts with the NIST Compliance Standard

Access Control

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

AC-3 ACCESS ENFORCEMENT, AC-6 LEAST PRIVILEGE, AC-7 UNSUCCESSFUL LOGON ATTEMPTS, AC-8 SYSTEM USE NOTIFICATION, AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION, AC-11 SESSION LOCK, AC-12 SESSION TERMINATION, AC-17 REMOTE ACCESS

AC-7 UNSUCCESSFUL LOGON ATTEMPTS, AC-12 SESSION TERMINATION

AC-7 Enforces a limit of consecutive invalid logon attempts by a user during a defined time period and automatically locks the account/node for a defined time period when the maximum number of unsuccessful attempts is exceeded AC-12 This control addresses the termination of user-initiated logical sessions

Contemporary Operating System platforms provide support for detailed security policy settings covering Password and Account Lockout Policies but these must all be set correctly and enforced. NNT is a Certified CIS Vendor and as such, accurately delivers the industry-standard configuration hardening guidance form the CIS Benchmarks. This means you are assured of always having the latest expert configuration settings to minimize your organizations attack surface.

Awareness and Training

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

AT-1 SECURITY AWARENESS AND TRAINING POLICY

AT-1 SECURITY AWARENESS AND TRAINING POLICY

Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories

See https://www.newnettechnologies.com/sans-institute-posters-summaries.html

Audit and Accountability

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

AU-2 AUDIT EVENTS, AU-3 CONTENT OF AUDIT RECORDS, AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING, AU-7 AUDIT REDUCTION AND REPORT GENERATION, AU-8 TIME STAMPS, AU-9 PROTECTION OF AUDIT INFORMATION

AU-2 AUDIT EVENTS

Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage

Configuration of a comprehensive audit policy is key - get it right and you will capture a forensic audit-trail of user activities suitable for pre-empting an attack and for reconstructive forensic analysis post-breach. Get it wrong and you will miss crucial events and likely be swamped with spurious log data. NNT provide Configuration Remediation Kits to automatically set a NIST Auditor-class audit policy on all platforms, backed with Certified CIS reports to continuously validate and enforce adherence. Note: NNT Log Tracker™ can also be employed to analyze and backup logs.

Security Assessment and Authorization

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

CA-2 SECURITY ASSESSMENTS, CA-7 CONTINUOUS MONITORING,

CA-2 SECURITY ASSESSMENTS, CA-7 CONTINUOUS MONITORING,

CA-2 Security assessments: ensure that information security is built into organizational information systems; identify weaknesses and deficiencies early in the development process; and ensure compliance to vulnerability mitigation procedures CA-7 The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions

Change Tracker™s built-in NIST 800-53 report assesses the configured state of your IT estate for compliance with the key NIST Security Controls to give a simple percentage score with clear remediation guidance where non-compliance highlighted. Thereafter Change Tracker™ provides real-time monitoring of core configuration settings covering installed software, running processes, services and startup states, registry keys, user accounts, audit and security policy, open network ports and the overall integrity of the filesystem.

Configuration Management

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

CM-2 BASELINE CONFIGURATION, CM-3 CONFIGURATION CHANGE CONTROL, CM-4 SECURITY IMPACT ANALYSIS, CM-6 CONFIGURATION SETTINGS, CM-7 LEAST FUNCTIONALITY, CM-11 USER-INSTALLED SOFTWARE

CM-2 BASELINE CONFIGURATION, CM-3 CONFIGURATION CHANGE CONTROL, CM-6 CONFIGURATION SETTINGS

Baseline configurations serve as a basis for future builds, releases, and changes to information systems. Baseline configurations include information about information system components (e.g., software packages installed; current version numbers/patch information on operating systems/applications & configuration settings/parameters). Maintaining baseline configurations requires creating new baselines as organizational information systems change over time.

"As well as the pre-built NIST compliance reports, any device being monitored can have its configured state captured as a dynamically-generated Baseline Report, providing a Point-in-Time record to compare with other devices or future points in time.

For Change Control, Change Tracker™ utilizes a unique control systems known as 'Closed Loop Intelligent Change Control', literally learning which changes within your environment are normal, applying threat-based logic to the automation of change approvals."

Contingency Planning

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

CP-1 CONTINGENCY PLANNING POLICY

CP-1 CONTINGENCY PLANNING POLICY

Backups, Disaster Recovery planning, resources and facilities

 

Identification and Authorization

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

IA-1 IDENTIFICATION AND AUTHENTICATION POLICY

IA-1 IDENTIFICATION AND AUTHENTICATION POLICY

Identity Management and Authentication see Web: http://idmanagement.gov

 

Incident Response

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

IR-4 INCIDENT HANDLING

IR-4 INCIDENT HANDLING

The organization employs automated mechanisms to support the incident handling process. The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

"Change Tracker™ cuts out the 'alert fatigue' and 'change noise' associated with traditional integrity monitoring systems like Tripwire®. By leveraging NNT FAST™ (File Approved-Safe technology) Cloud, file changes are automatically validated using an authoritative file whitelist. This radically reduces the incident response process by highlighting only genuinely suspicious activities.

In addition, because Change Tracker™ identifies Who Made the Change, investigation tasks are greatly simplified."

Maintenance

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

MA-2 CONTROLLED MAINTENANCE

MA-2 CONTROLLED MAINTENANCE

The organization: (a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and (b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

"All changes are captured and presented clearly for review and approval.

Change Tracker™ integrates with change management systems such as ServiceNow® to automate the flow of approved planned changes, reconciling what actually changed with the expected approved-change profile"

Media Protection

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

MP-2 MEDIA ACCESS, MP-5 MEDIA TRANSPORT

MP-2 MEDIA ACCESS, MP-5 MEDIA TRANSPORT

"Information system media includes digital media. Restricting access to digital media includes limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.

Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used."

User-permissions and network segregation all rely on secure configuration settings and tightly governed change control. Change Tracker™ NIST Compliance Reports will show if user rights are incorrectly set and any configuration 'drift' will be clearly exposed to allow review and remediation. Encryption services and settings, such as MS BitLocker, can similarly be automatically reviewed and benchmarked for security.

Physical & Environmental Protection

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY

PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES

The organization develops, documents, and disseminates a physical and environmental protection policy.

 

Planning

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

PL-1 SECURITY PLANNING POLICY

PL-1 SECURITY PLANNING POLICY AND PROCEDURES

Security plans relate security requirements to a set of security controls and control enhancements.

 

Personnel Security

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

PS-1 PERSONNEL SECURITY POLICY

PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES

The organization develops, documents, and disseminates a personnel security policy.

 

Risk Assessment

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

RA-5 VULNERABILITY SCANNING

RA-5 VULNERABILITY SCANNING

Vulnerability scanning includes, scanning for patch levels, scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms.

NNT provide regularly updated CIS-based NIST compliance reports to identify vulnerabilities on a huge range of platforms, applications and network appliances. Open ports can be tracked using both external and internal scans, and using the Baseline Report, a clear hardened-build state recorded for any device/device type. Change Tracker™ provides continuous configuration monitoring and any drift from the organizational build-standard will be clearly highlighted. Similarly, installed software and updates can be baselined, including the installed version.

System and Services Aquisition

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

SA-8 SECURITY ENGINEERING PRINCIPLES, SA-10 DEVELOPER CONFIGURATION MANAGEMENT

SA-8 SECURITY ENGINEERING PRINCIPLES, SA-10 DEVELOPER CONFIGURATION MANAGEMENT

Maintaining the integrity of changes to the information system, component, or service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

"Change Tracker™ will monitor the integrity of anything, including file attributes, hash values, and file contents (JavaScript, html, XML, aspx, JSON etc.), any output of a command or script, Oracle or SQL database schema, on any platform, including Linux, Windows, AIX, Solaris, HPUX, ESX, and any network device such as Firewalls, Routers and Switches.

Providing coverage for all development tools, files, hardware, software, and firmware is a standard function of Change Tracker Gen7™"

System & Comms Protection

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

SC-7 BOUNDARY PROTECTION, SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY, SC-10 NETWORK DISCONNECT, SC-23 SESSION AUTHENTICITY

SC-7 BOUNDARY PROTECTION, SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

"Restricting interfaces within organizational information systems includes, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.

Cryptographic mechanisms implemented to protect information integrity include cryptographic hash functions."

"Managing firewall rules and settings is an essential task in order to safeguard boundary protection - Change Tracker™ will provide visibility of any changes made, with a complete step-by-step audit trail of interim changes. At each stage a full baseline of settings is also retained for review and different devices and/or points in time can be compared to the Gold Build Standard.

For end-points, session security, authenticity and disconnect settings can be expertly assessed against industry-best practice using CIS Secure Configuration Guidance, and any shortcomings will be highlighted for remediation."

System & Information Integrity

Key Security Controls Security Control Highlights NIST 800-53 Supplemental Guidance Precis How does NNT Change Tracker Gen 7™ satisfy the requirement?

SI-3 MALICIOUS CODE PROTECTION, SI-4 INFORMATION SYSTEM MONITORING, SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

SI-3 MALICIOUS CODE PROTECTION, SI-4 INFORMATION SYSTEM MONITORING, SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems, including kernels and drivers, middleware, and applications. Firmware includes the BIOS. Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms e.g. cryptographic hashes and associated tools can automatically monitor the integrity of information systems and applications.

"Change Tracker™ provides instant, real-time detection of file integrity changes, using SHA-2 or higher hash validation, for all system files and configuration settings, for all devices and platforms

Working in conjunction with NNT FAST™ Cloud, as changes are detected, files can be assessed against a 'known good' whitelist of proven-safe files in order to reduce change noise and more clearly expose zero day malware that would otherwise evade traditional anti-virus technology."

 

Download the PDF
pdf NNT Change Tracker Gen 7 Solutions Mapped To NIST SP 800-53 Controls

 

Download NIST 800-53 Reports

 

Products
Trusted by:
centertheatre.jpgRichland-Logistics.jpggeneral-dynamics.jpghampshire.jpgzen.jpgsajan.jpgveolia.jpgticketmaster.jpgni.jpgnewlook.jpggolubcapital.jpgspar.jpgcredimax.jpgdeluxecorp.jpgbchdigital.jpgspendvision.jpgarmy.jpgboomkat.jpgbrightstar.jpghp.jpgcsmartlive-casino.jpgeon.jpglivenation.jpgjohnsons.jpgcambridgeass.jpgcontinuum.jpgcornell.jpgfirst-quantum.jpgislandbanki.jpgNIBSS.jpgfisherbioservices.jpgraiffeisen.jpgcardknox.jpgpurchase.jpgadvance2000.jpgtheatreroyal.jpgpando.jpgdupont.jpgnkwd.jpgcboss.jpgkalmbachpublishing.jpghei-hotels.jpgwallashops.jpgunifiedpayments.jpgAeriandi.jpgbankofchina.jpgduoboots.jpgriskassociates.jpgblaze.jpgbowtie.jpgaspen.jpgredwood.jpgdublin-business.jpgepay.jpgideal.jpgace.jpgaciconn.jpgghl.jpgshi.jpgzamir.jpguniversal-orlando.jpgpicinc.jpgtravelodge.jpgmtrgaming.jpgchaparral.jpgdatamatx.jpghph.jpgageas.jpgvse.jpgpaypro-business.jpgstpeters.jpgdunelm.jpgrosamond.jpgactivetelesource.jpgharrods.jpgctrls.jpgforeshore.jpghandh.jpgpma.jpgthewestbrom.jpgnashville-int-airport.jpgSpanson.jpgstjoe.jpgacas.jpgseapines.jpgbarton-cooney.jpgmaxwellpaper.jpgtechnologypros.jpgharbouritau.jpgcrowedunlevy.jpgaberdeen.jpgnorcotek.jpgsoutheastvalley.jpgdeluxe.jpgsiconns.jpgpma-iss.jpgwett.jpgsymago.jpgselectcore.jpgeuroffice.jpgxaxis.jpghermanmiller.jpgcuany.jpgaimia.jpgpunter-southall.jpgwindsorandmaidenhead.jpgboomerangsg.jpgzenithbank.jpgsymetra.jpgblakemore.jpgrealec.jpgshearwater.jpgPenn-State-Uni.jpgfamilylife.jpgpayone.jpggm.jpgovec.jpgorbcomm.jpgnctm.jpgcare.jpgidexperts.jpgcablewire.jpgplatin.jpgbnpparibas.jpgzap.jpgucsandiego.jpgnxgen.jpgAWA-Collections.jpgclickandbuy.jpgcreditadjustments.jpgarqiva.jpgsynergiecontact.jpgpass.jpgsimmons.jpgrentatoll.jpgrnn.jpgShelby-County.jpgvmi.jpgiac.jpgpkr.jpgberkshireassociates.jpgedm.jpgwestern-financial-group.jpgamdocs.jpginss.jpgskipton.jpgonpoint.jpgduncansolutions.jpgbom.jpgequiant.jpgderivco.jpgpaymetric.jpgryanair.jpgtrillium.jpgford.jpgjack-wills.jpgcua.jpgalamo-colleges.jpgiridium.jpgunnorthcar.jpgeztaxreturn.jpgingbank.jpgfis.jpgnafsa.jpgcolliercounty.jpgkenneth-copeland.jpgunionbank.jpgMontrose-Travel.jpglandisgyr.jpgbriefing.jpgbobby-cox.jpgRed-Card-Systems.jpgjdwetherspoon.jpgmarwoodgroup.jpgcityofgolden.jpgcigna.jpgjet-blue.jpgbritish-museum.jpgretail-lockbox.jpghhglobal.jpgushmm.jpgeasystreet.jpgxerox.jpgvnpay.jpghansen.jpgsunchemical.jpgBlackbird-Technologies.jpgwizzair.jpghbl.jpgvoxgen.jpgdudley-nhs.jpglansare_logo.jpgdhl.jpgnymbus.jpgkennethhagin.jpgconduent.jpg5thavetheatre.jpgrnib.jpgpartnerships.jpgnhs-bury.jpggowireless.jpgentee.jpgnhs.jpgwhsmith.jpgStandard-Hotel.jpgScotRail.jpgcollege-station.jpgabrsm.jpgbrocade.jpghub_logo.jpglark.jpgwestfield-state-university.jpgsafarimicro.jpghepsiburada.jpgodeon.jpgxap.jpgsecurum.jpgwhynotleaseit.jpgCompliance-360.jpgsikorsky.jpglivetv.jpgleidos.jpgBiaggis.jpgTotal-Card.jpgrayonier.jpgprometric.jpghotel-cholat.jpgconcord.jpgessex-police.jpgenmax.jpg4wheelparts.jpgacucall.jpgeTranzact.jpgopportune.jpgasociacioncibao.jpgwonga.jpgsky.jpgpowerchord.jpggvec.jpgwalmartecomm.jpgpicturehouse.jpg
USA Offices
New Net Technologies Ltd
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
emailUSinfo@nntws.com
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
Redbourn,
St Albans

Herts
AL3 7PR

Tel: 08456 585 005
Fax: 08456 122 031
emailinfo@newnettechnologies.com
NNT Newsletter
Sign up to receive our monthly newsletter covering breaking security news, how-to-tips, trends and commentary directly to your inbox.


Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500 Sans Institute
Copyright 2017, New Net Technologies Ltd. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies Ltd.
All other product, company names and trademarks are the property of their respective owners.