The Ultimate Guide to
NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems
What is NIST SP 800-53?
Developed by computer security and privacy experts at the National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, is a collection of specific safeguarding measures that can be used to protect an organization’s operations and data and the privacy of individuals. In fact, NIST SP 800-53 is considered the gold standard for information security and is cross-referenced by many other industry-accepted security standards.
Any organization, regardless of its size, sector, or technology environment, can use NIST SP 800-53 security and privacy controls to maintain the security of its information systems and mitigate privacy risks. The controls can be customized and implemented as part of a firm-wide process to manage risks such as hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.
Can NIST SP 800-53 improve my security system?
Yes. Although NIST SP 800-53 was originally designed for use by U.S. federal government agencies, it can help organizations in all industries improve the security of their information systems. NIST SP 800-53 contains a set of security and privacy safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud systems, mobile systems, industrial control systems, and Internet of Things (IoT) devices.
The consolidated control catalog addresses security and privacy from a functionality perspective and an assurance perspective. Addressing functionality and assurance helps an organization gain confidence that its information technology products and the systems that rely on those products are sufficiently trustworthy.
In many cases, implementing NIST SP 800-53 Rev 5 will help organizations ensure NIST 800-53 compliance with other regulations that deal with cyber risk and information security, such as HIPAA, FISMA, or SOX, because many other frameworks use NIST as the reference framework.
NIST SP 800-53 control families
According to NIST SP 800-53 Rev. 5, controls can be viewed as “descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders. Controls are selected and implemented by the organization in order to satisfy the system requirements.”
NIST SP 800-53 Rev. 5 lists 20 families of controls that provide operational, technical, and managerial safeguards to ensure the privacy, integrity, and security of information systems.
Each family holds controls that are related to the specific topic of the family. Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, and automated mechanisms that are implemented by systems. Below is a table that lists the security and privacy control families and their associated family identifiers.
Families of controls contain base controls and control enhancements, which are directly related to their base controls. Control enhancements either add functionality or specificity to a base control or increase the strength of a base control. Control enhancements should be used in systems and environments of operation that require greater protection than the protection provided by the base control.
SP 800-53 Rev. 5 security and privacy controls follow a standardized structure: a base control section, a discussion section, a related controls section, a control enhancements section, and a references section. Figure 1 illustrates the structure of a typical control.
Many organizations have chosen to use NIST SP 800-53 controls as the baseline for their security and privacy controls because the controls in the catalog, with a few exceptions, are policy-, technology-, and sector-neutral; they focus on the fundamental measures necessary to protect information and the privacy of individuals across the information lifecycle.
However, It is up to each organization to analyze each security and privacy control for its applicability to their specific technologies, environments of operation, mission, and business functions and tailor the controls that have variable parameters. To access the entire SP 800-53 controls catalog, you can visit the NIST SP 800-53 rev. 5 publication or sign up for Hyperproof.
To help organizations figure out which specific controls from the SP 800-53 Rev. 5 catalog they should implement to suit their unique situation, NIST has published a companion publication, titled SP 800-53B.
5 control families to pay attention to
Since SP 800-53 Rev. 5 has 20 control families, it’s important that you prioritize your efforts based on the areas that will have the highest impact. In today’s environment, where many people are now working from home, potentially using unauthorized networks and applications and their personal devices, you’ll need to pay particular attention to five control families to ensure adequate protection of your systems: Access Control, Configuration Management, Control Assessments, Monitoring/Logging, and Training.
1. Access control family
This control family addresses who or what can view or use resources in a computing environment.
2. Awareness and training family
Organizations should provide foundational and advanced levels of awareness training to system users, including measures to test users’ knowledge level.
3. Audit and accountability family
To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time.
4. Control assessment (authorization and monitoring) family
Policies and procedures help provide security and privacy assurance.
5. Configuration management family
Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture.
Those control families cover the basics and will give you a minimal level of protection. From there, you can work on the other areas.
What are control baselines in NIST SP 800-53B?
NIST SP 800-53B, Control Baselines for Information Systems and Organizations, provides security and privacy control baselines for the Federal Government and private sector organizations. SP 800-53B is a companion publication to SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations.
SP 800-53B includes three security control baselines (one for each system impact level: low-impact, moderate-impact, and high-impact), as well as a privacy control baseline that is applied to systems irrespective of impact level. The privacy control baseline supports federal agencies in addressing privacy requirements and managing privacy risks that arise from processing PII based on privacy program responsibilities under OMB Circular A-130.
Baselines are there to help organizations select a set of controls for their systems that is commensurate with their security and privacy risk. According to NIST guidance, the security baseline selected for systems should be “commensurate with the potential adverse impact on an organization’s operations, organizational assets, individuals, and other organizations if there is a loss of confidentiality, availability or integrity.” Here’s what the three levels mean:
- A low-impact system is defined as a system in which all three of the security objectives are low;
- A moderate-impact system is a system in which at least one of the security objectives is moderate and no security objective is high;
- A high-impact system is a system in which at least one security objective is high.
Once an organization has selected an appropriate security baseline, they would tailor the controls to align them more closely with the specific security and privacy requirements identified by the organization. Control baselines are tailored based on a variety of factors, including threat information, mission or business requirements, types of systems, sector-specific requirements, specific technologies, operating environments, organizational assumptions and constraints, individual’s privacy interests, laws, executives, orders, policies, regulations, or industry best practices.
Here are some ways in which controls can be tailored:
- Identify and designate common controls
- Apply scoping considerations
- Selecting compensating controls
- Assign values to organization-defined control parameters via explicit assignment and selection operations
- Supplement baselines with additional controls and control enhancements
What’s the difference between NIST CSF and NIST 800-53?
NIST Cybersecurity Framework (CSF) is a subset of NIST SP 800-53 Rev 5. Given that NIST CSF is more limited in scope, starting with NIST CSF may be a reasonable choice for smaller companies that need a set of “best practices” to align to.
Exploring the structure of the NIST CSF framework core
At the core of the NIST Cybersecurity Framework (CSF) lies the Framework Core, a set of guidelines that outlines five critical cybersecurity functions necessary for a robust security program. These functions offer a high-level categorization of cybersecurity outcomes and are supported by more detailed levels of guidance: categories, subcategories, and informative references.
Here’s a breakdown of the Framework Core’s elements:
- Functions: The primary functions serve as the foundational pillars for cybersecurity activities. These include Identify, Protect, Detect, Respond, and Recover.
- Categories: For more detailed organization, each primary function is broken down into categories. These are specific outcomes like “Asset Management,” “Access Control,” and “Incident Detection.”
- Subcategories: To drill down further, categories are divided into subcategories, describing precise security outcomes such as “Maintenance of an inventory of information systems” or “Protections against unauthorized access to data.”
- Informative References: These references provide concrete examples of how to achieve the desired outcomes described in the subcategories. They often refer to sections of established standards and guidelines, including but not limited to COBIT, ISO/IEC standards, CIS Controls, and other NIST publications.
The accompanying visual, which can be found in Appendix A of the CSF, depicts the interplay between the functions, categories, subcategories, and informative references concerning the “Respond” function.
This appendix acts as a comprehensive checklist, allowing cybersecurity teams to verify their program against the Framework Core’s functions, ensuring that necessary categories and subcategories are in place and align with the associated informative references’ guidance.
Does NIST SP 800-53 overlap with other security frameworks?
Nearly all other frameworks and certification programs use NIST SP 800-53 or ISO 27001 as a baseline reference. In fact, NIST SP 800-53 has broad overlap with most security and privacy frameworks. For instance, the security controls from NIST SP 800-53 Rev.5 map to the ISO 27001:2013, a standard that specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS) within the context of business risks.
However, similar topics may be addressed in two security control sets that may be of different context, perspective, or scope. Each organization still needs to assess whether a control taken from NIST SP 800-53 would fully satisfy requirements of ISO 27001 without modification.
What are the best practices for NIST SP 800-53 compliance?
To work your way towards full compliance, you’ll need to understand and work through some key steps:
Start by locating and securing all your sensitive data and then classifying it based on your business policy. You want to conclude this phase of discovery with knowledge of your sensitive data, the vulnerabilities within your system, and potential threats in your environment.
Here you want to establish an understanding of who can access what data. The critical action step is identifying all user, group, folder, and file permissions within your system.
Managing access starts with creating rules to govern who can access what information. These rules must be well known and strictly enforced. Action steps for improved access control involve inactivating stale user accounts, proactively managing user and group memberships, and working from a “least privilege” model, which involves giving users the least amount of access they need to do their job.
Start by keeping records of how users access systems and data files. Use these records to create a baseline of regular activity to help identify anomalies such as weird access locations, rapid access upgrades, and sudden mass movements of data. Be sure to install a set of controls designed to monitor and detect insider threats, malware, and misconfigurations. Any vulnerabilities, anomalies, or attempted breaches should be discovered and remediated quickly.
It’s important to educate your employees on what they need to do (and what to avoid) to keep networks and company data secure. Management should provide employees with tactical knowledge on how to deal with the cyber threats organizations are most likely to face, such as email scams, malware, insecure passwords, unsafe internet browsing habits, removable media, etc.
NIST SP 800-53 recommends organizations deploy security assessment tools to gauge their real-time security posture. These software tools, created by security experts, measure the effectiveness of all organizational security measures and suggest system improvements based on empirical evidence.
But once your team has installed the appropriate controls and implemented NIST SP 800-53 security and privacy controls, you’ll need to make sure that your controls are implemented correctly and produce the desired outcome for meeting your organization’s security requirements.
NIST Special Publication 800-53A establishes standard assessment procedures to assess security controls’ effectiveness in information systems, specifically those controls listed in NIST SP 800-53. These recommended assessment procedures provide a starting point for developing more specific procedures and can be supplemented by your organization if it’s deemed necessary according to your risk assessment. Keep in mind that your organization may create additional assessment procedures for those security controls not contained in NIST Special Publication 800-53.
NIST 800-53 : Frequently Asked Questions
Hyperproof for NIST SP 800-53 compliance
Organizations can reap significant benefits when they align their security and compliance programs with a recognized framework like NIST SP 800-53, but the comprehensive nature of the guidelines poses adoption challenges.
Hyperproof’s compliance operations software makes it much easier for organizations to adopt NIST SP 800-53 as their cybersecurity framework, along with other industry-leading cybersecurity frameworks. Sign up for a personalized demo to see how we can help you utilize NIST SP 800-53 controls to create an effective and efficiently-managed security program:
Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get NIST SP 800-53 ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.