Enhancing cybersecurity risk management with NIST 800-53
The NIST 800-53 standard offers solid guidance for how organizations should select and maintain customized security and privacy controls for their information systems. NIST SP 800-53 Revision 5 is a cybersecurity risk management tool for CIOs and CISOs. This framework provides a benchmark for cyber risk quantification, so security leaders can assess risks, measure outcomes, and communicate with C-level executives about where budgeting should be set for cybersecurity.
With this guide, learn how to navigate the evolving landscape of cybersecurity risk management and apply NIST 800-53 compliance practices to your organization.
What is NIST 800-53?
NIST 800-53 is a security compliance standard created by the U.S. Department of Commerce and the National Institute of Standards in Technology (NIST) in response to cybersecurity threats from national adversaries.
It was first instituted in 2005 and has gone through several revisions over the last decade and a half. In 2019 the 5th revision was published. As digital technology has integrated more with our infrastructure and work environments, the standard has evolved to integrate privacy and security controls as well as promote integration with cybersecurity and risk management initiatives.
It contributes to the scope of the Federal Information Processing Standards (FIPS). FIPS requires that organizations implement a minimum baseline of security controls as defined in NIST 800-53. Additionally, NIST aids organizations in compliance with the Federal Information Security Modernization Act (FISMA), which includes privacy and security guidelines as part of administering federal programs.
While the standard is mandatory for information systems associated with the federal government, it is voluntary for private organizations to adopt NIST 800-53. To that end, it is not a set of rules, controls, or tools. Rather, it offers processes that help organizations to measure the maturity of their current cybersecurity and risk management systems to take steps to strengthen them.
What is the goal of NIST 800-53?
It is a framework of guidelines and standards for companies to better manage and reduce cybersecurity risks. Once adopted, the NIST 800-53 provides a framework of privacy and security controls for protecting against a variety of threats, from natural disasters to hostile attacks.
Who must comply?
NIST 800-53 is mandatory for all organizations associated with federal information systems. However, its guidelines are voluntary for any organization (state, local, tribal governments; private companies, including SMBs and enterprises) operating an information system with sensitive or regulated data.
What are the benefits?
The most prominent benefit of NIST 800-53 is more secure information systems. Organizations that adopt the standard have a much better way of meeting the challenge of selecting the appropriate basic security controls, policies, and procedures to protect information security and privacy.
The standards laid out in NIST 800-53 are easy to understand and apply. It is meant to be customized; organizations can prioritize the activities that will help them improve their security systems. Additionally, as a technology-agnostic framework, it encourages organizations to use systems that will help them comply with other regulations and programs like HIPAA, DFARS, PCI DSS, and GDPR.
It is risk-based — it helps organizations determine which assets are most at risk and take steps to protect them first. It allows the cybersecurity leadership team to:
- Gain a better understanding of current security risks
- Prioritize the activities that are the most critical
- Identify mitigation strategies
- Evaluate potential tools and processes
- Measure the ROI of cybersecurity investments
Finally, NIST 800-53 helps cybersecurity leaders with cyber risk quantification, measuring the risk to a business or organization. With a benchmark for potential threats and pitfalls, the CIO and CISO can communicate effectively with all stakeholders, including IT, business, and executive teams.
Security Controls
NIST 800-53 has a broad catalog of security and privacy controls and guidance for selection. Every organization has unique compliance requirements – they can choose controls based on the protection requirements of their content types. This starts with a careful risk assessment and analysis of the impact of incidents on different data and information systems. FIPS 199 defines three impact levels:
- Low — Loss would have a limited adverse impact.
- Moderate — Loss would have a serious adverse impact.
- High — Loss would have a catastrophic impact.
Security Control Families
NIST 800-53 controls are allocated into the following 20 families:
ID | Family Name | Examples of Controls |
AC | Access Control | Account management and monitoring; least privilege; separation of duties |
AT | Awareness and Training | User training on security threats; technical training for privileged users |
AU | Audit and Accountability | Content of audit records; analysis and reporting; record retention |
CA | Assessment, Authorization, and Monitoring | Connections to public networks and external systems; penetration testing |
CM | Configuration Management | Authorized software policies, configuration change control |
CP | Contingency Planning | Alternate processing and storage sites; business continuity strategies; testing |
IA | Identification and Authentication | Authentication policies for users, devices, and services; credential management |
IP | Individual Participation | Consent and privacy authorization |
IR | Incident Response | Incident response training, monitoring, and reporting |
MA | Maintenance | System, personnel, and tool maintenance |
MP | Media Protection | Access, storage, transport, sanitization, and use of media |
PA | Privacy Authorization | Collection, use, and sharing of personally identifiable information (PII) |
PE | Physical and Environment Protection | Physical access; emergency power; fire protection; temperature control |
PL | Planning | Social media and networking restrictions; defense-in-depth security architecture |
PM | Program Management | Risk management strategy; insider threat program; enterprise architecture |
PS | Personnel Security | Personnel screening, termination, and transfer; external personnel; sanctions |
RA | Risk Assessment | Risk assessment; vulnerability scanning; privacy impact assessment |
SA | System and Services Acquisition | System development lifecycle; acquisition process; supply chain risk management |
SC | System and Communications Protection | Application partitioning; boundary protection; cryptographic key management |
SI | System and Information Integrity | Flaw remediation; system monitoring and alerting |
How to achieve NIST 800-53 compliance
Achieving NIST 800-53 compliance begins with an audit of existing information and security systems. The following are the best practices to aid in selecting and implementing the appropriate measures for NIST 800-53 compliance.
- Identify your sensitive data. Find out what kind of data the organization deals with; where it is stored; and how it is received, maintained, and transferred. Sensitive data is not always centrally located – it can be in multiple systems and applications.
- Classify sensitive data. What is the value and sensitivity of the data? Assign each information type an impact value (low, moderate, or high) for each security objective (confidentiality, integrity, and availability), and categorize it at the highest impact level. Consider FIPS 199 for relevant security categories and impact levels that relate to your organizational goals, mission, and business success. Automate discovery and classification to streamline the process and ensure consistent, reliable results.
- Evaluate your current level of cybersecurity with a risk assessment. A risk assessment involves identifying risks, assessing the likelihood of their occurrence and impact, taking steps to mitigate the most critical risks, and then assessing the effectiveness of those steps.
- Document a plan to improve your policies and procedures. What controls fulfill the specific business needs? The extent and rigor of the selection process should be proportional to the impact level of the risk being mitigated. Record the plan and rationale for each policy and procedure.
- Provide ongoing employee training. Educate all employees on access governance and cybersecurity best practices, such as how to identify and report malware.
- Make compliance an ongoing process. Once the system is in compliance with NIST 800-53, it is a matter of maintenance and consistent improvement based on system audits, changes to security standards, or a security incident.
See how rapid change is affecting cybersecurity.
Recent media coverage is inundated with ever-more-sophisticated cyber attacks. RedMonocle has produced an industry intelligence report detailing CISOs strategies for responding across five critical areas. Download this free resource today.