Q&A from FLANK: What is NIST 800-53?
What is NIST 800-53?
A: Simply stated, NIST 800-53 is a publication put forth by the National Institute of Standards and Technology (NIST) which advises the proper security controls for federal information organizations and systems. NIST 800-53 also documents security controls for all United States federal information systems, the only exception being those designed for national security.
As of 2018, the most current version of NIST SP 800-53 is revision, 5, titled, “Security and Privacy Controls for Information Systems and Organizations.” NIST SP 800-53 is one of the world’s leading publications designed for such needs, and it’s gaining widespread acceptance throughout all of North America, and the world.
Many of today’s federal regulatory compliance requirements – DFARS, FISMA, and FedRAMP – have all adopted core elements of NIST SP 800-53 into their reporting mandates for regulatory compliance. Since its first publication in 2006, up until the current release, NIST 800-53 has consistently advocated the need for federal agencies - and contractors – to implement comprehensive, well-documented, and formalized information security policies, procedures, and processes that help ensure the safety and security of information, systems, organization, individuals, and more.
When is NIST SP 800-53 Compliance Coming?
The adoption of 800-53 is spreading rapidly. The control families found within NIST SP 800-53 consist of core security and privacy best practices that are currently adopted by federal agencies and contractors regarding information security.
With increased cybersecurity threats creating immense challenges for federal agencies in term of information security confidentiality, integrity, and availability of (CIA), implementation of the 800-53 control families has become critical. These initiatives are also being aggressively pushed down to contractors providing essential services to federal agencies.
What Does NIST 800-53 Compliance Require?
The official NIST 800-53 compliance requirements consist of the following:
2. Security Tools
How to Stay NIST 800-53 Compliant With Documentation
Spend some time digging into the NIST SP 800-53 publication and you’ll quickly realize the importance of documentation – specifically – information security policies and procedures. Each of the 800-53 controls represents security practices that need to be undertaken by organizations – but also documented – which means authoring InfoSec documents are critical. Take the following two (2) security controls within 800-53 in consideration:
- Access Control (AC)
- Configuration Management (CM)
It’s simply impossible to fully comply with these control mandates without having comprehensive security policies and procedures in place discussing roles, responsibilities, tools used, various processes, and more.
It’s also why FLANK has worked long and hard in developing a wide-range of federal compliance policy templates and toolkits for three (3) critical federal compliance mandates that all rely heavily on the 800-53 framework.
Saving hundreds of hours and thousands of dollars on essential 800-53 policies and procedures is now easier than ever, thanks to FLANK. Visit flank.org to learn more today.
How to Stay NIST 800-53 Compliant with Security Tools
A large number of the controls illustrated within NIST SP 800-53 will ultimately require organizations to acquire various security tools and solutions. Make no mistake, this can be a heavy investment in terms of time and money. You’ll need to implement security tools and solutions such as:
- File Integrity Monitoring (FIM)
- Intrusion Detection Systems (IDS)
- Two-Factor Authentication (2FA)
- Vulnerability scanning, and more
Acquiring such solutions is just the first step, as implementation, maintenance, and continuous monitoring is also necessary.
What Is the Relationship Between NIST 800-53 and DFARS, FISMA, and FedRAMP?
NIST 800-53 plays a vital role in many of today’s federal regulatory compliance frameworks, especially when it comes to the following’s reporting:
Let’s take a closer look at each of these for better understanding the relationship with 800-53.
How Are DFARS And NIST SP 800-53 Related?
More commonly known as DFARS 800-171 compliance, federal contractors providing essential services to the Department of Defense (DoD) have strict requirements for becoming DFARS compliant. The initial deadline was 12.31.2017, so if you missed it, then you’re in a non-compliant status and it’s time to get compliant!
As for the NISTS 800-171 publication, titled, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (December, 2016), DoD contractors are required to implement the prescribed “control families” for compliance. Many of the actual control requirements within the control families of 800-171 can be mapped back to 800-53, further highlighting the significance of 800-53 itself. In fact, you’ll often find individuals that consider 800-171 a “light” version of 800-53.
DFARS 800-171 compliance nonetheless requires certain documentation to be in place, such as the development of a wide-range of documented security policies and procedures, along with a System Security Plan (SSP). To help save DoD contractors dozens of hours and thousands of dollars on documentation creation, FLANK offers a DFARS NIST 800-171 Compliance All-in-One Toolkit available for instant download at flank.org.
There’s also a mapping that is provided between NIST 800-171 and NIST 800-53, effectively allowing contractors who have complied with 800-53 to save time when complying with 800-171. It’s fair to assume (as we have seen this) that a large number of DoD contractors are being asked to become both 800-171 and 800-53 compliant. If that’s the case for your organization, then start with 800-53, and then map to 800-171, as this will save you an immense amount of time and money.
How Are FISMA And NIST SP 800-53 Related?
The Federal Information Security Management Act (FISMA) of 2002, now updated, enhanced and known as the Federal Information Security Modernization Act (FISMA) of 2014, relies heavily on the use of 800-53 as the basis for FISMA compliance, certification, and accreditation. While other “Special Publication” 800 series documents can – and do – play a role in FISMA compliance, 800-53 stands alone as the core framework that must be implemented.
And much like DFARS NIST 800-171, compliance with FISMA also requires a wide-range of information security policies, procedures, and processes to be in place. Remember that NIST SP 800-53 has a lengthy number of security controls for LOW, MOD, and HIGH, many of them quite technical in nature. The solution? FLANK offers industry leading security policy templates and toolkits for helping comply with NIST SP 800-53, and ultimately, FISMA.
How Are FedRAMP And NIST SP 800-53 Related?
FedRAMP is a government‐wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP therefore has adopted NIST SP 800-53 as the primary framework for assessing cloud controls. Why? Because the adoption of NIST SP 800-53 is/has happened throughout most, if not all, federal agencies.
With industry leading security and privacy controls prescribed within NIST SP 800-53, it’s the go to document for FedRAMP compliance, and for some very obvious reasons. Want to become FedRAMP compliant? Then you need to ensure that you have a solid understanding of NIST SP 800-53 and it’s required controls.
Now, there are additional NIST SP documents that come into play for FedRAMP compliance, such as those relating to cloud computing, risk assessment, and others. Even so, the control families illustrated within NIST SP 800-53 still form the very fabric of FedRAMP compliance. What is NIST 800-53? Hopefully, FLANK has answered that question for you.