Compliance Champions: How MSPs Help SMBs Comply with NIST 800-53

If your clients work with the federal government, it’s quite likely they should be compliant with the National Institute of Standards and Technology (NIST) 800-53 standards, which serve as guidelines to help organizations implement mature information security systems with the ultimate goal of protecting sensitive government information. 

But, with more than 1,000 base controls and enhancements across 20 control families, many small- and mid-sized businesses (SMBs) don’t have the knowledge or capabilities to fully understand all the requirements enough to effectively implement and manage the controls. 

As an MSP, you have a unique opportunity to manage and, in many cases, simplify this process for your existing clients and even attract new clients that need support to effectively manage a NIST 800-53 framework on their own.

First, what is NIST 800-53?

NIST introduced the 800-53 standards in 2005 following the Federal Information Security Management Act (FISMA), which mandated that federal agencies must develop and maintain minimum security standards to protect federal information and federal information systems. Essentially, it’s a risk management framework to meet FISMA requirements.  

Interestingly, on its last revision in 2020, NIST removed the term “federal” to clarify these standards could be applicable to a broader range of organizations and to encourage more framework implementation.

The 20 control families associated with the 1,000 controls are:

1.     Access Control
2.     Awareness and Training
3.     Audit and Accountability
4.     Assessment, Authorization, and Monitoring
5.     Configuration Management
6.     Contingency Planning
7.     Identification and Authentication
8.     Incident Response
9.     Maintenance
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Program Management
14. Personnel Security
15. PII Processing and Transparency
16. Risk Assessment
17. System and Services Acquisition
18. System and Communications Protection
19. System and Information Integrity
20. Supply Chain Risk Management

If you want to take a deeper dive into what NIST 800-53 is and what’s required, check out our in-depth fundamentals page here.

Helping Clients Start Their 800-53 Journey

Starting your clients on their journey towards NIST 800-53 compliance can be tricky, but the framework compliance process will help.

Several benefits come along with being compliant with a specific framework, such as the following: 

• The framework eliminates the guesswork. If your clients access federal information and federal information systems, they won’t be stuck trying to figure out the best way to meet security requirements. Instead, the framework sets the stage. Your clients can use these standards to build a cybersecurity foundation and then mature their programs over time.
• It’s a competitive advantage. Not only will your clients need compliance if they want to bid on federal contracts, but it’s also a great way to win new business over competitors (and a great way for you to attract new clients, too). Being NIST 800-53 compliant demonstrates that your clients take protecting sensitive information seriously and they’re using industry-recognized best practices to do so.
• The framework can help you identify all of your assets across your attack surface and then identify, protect, detect, respond to, and recover from cyber incidents.
• NIST 800-53 can help your clients discover security gaps or weaknesses before threat actors can take advantage of them.
• It crosswalks well with other frameworks and can help your clients if they plan to implement and manage other frameworks, such as CMMC 2.0 and NIST 800-171.

Once your clients understand why they need NIST 800-53 and what it can do for them, you’ll need to help them understand some of the core terminology and requirements. NIST has a guide that can help. FIPS 199: Standards for Security Categorization of Federal Information and Information Systems is a great resource to help your clients get a better understanding of federal information and information system categorization. Before embarking on this adventure, they should understand these areas, as well as three related core security objectives: confidentiality, integrity, and availability.

Next, encourage your clients to explore another guide, FIPS 200, to learn more about minimum security requirements. This is also a great place to give them a high-level look at those 20 control families and 1,000 controls and enhancements so they can get a better understanding of the expectations and outcomes for the journey you’re about to embark on together.

Implementation and Management

If your clients are still managing their security and compliance frameworks with spreadsheets and word processing documents, they might feel overwhelmed thinking they’re going to have to do that for NIST 800-53. 

With 1,000 controls, “ain’t nobody got time for that.”

This is a time for you to shine and impress with the simplification of Apptega as a framework implementation and management tool. This is really important with a framework of this size and scope, particularly because many organizations struggle because the controls aren’t listed in a progressive order. They don’t know where to start or where to grow.

You can draw on existing NIST guidance to help your clients with control implementation. NIST breaks that down into three approaches: common control implementation, system-specific implementation, and hybrid implementation. By choosing one of these approaches, you can work with your clients to develop short- and long-term objectives and establish a plan of focus to implement the framework most effectively. 

You can also help your clients with NIST 800-53 by offering some other best practices for implementation. One way to do that is to look at it in terms of effective risk management. Here are a few suggestions:

• Discover all of the systems, applications, and assets related to their information system.
• Review (categorize) their information systems through the lens of responsibilities, the environment, and user roles.
• Draw on FIPS 199 to determine security control requirements based on security categorization.
• Use the Apptega platform to implement, track, and manage those controls.
•  Use Apptega as a document repository to demonstrate how you’ve implemented the controls.
• Use Apptega’s real-time compliance scoring to determine if the controls function as intended.
• Draw on Apptega’s dashboard to discover security gaps that should be addressed.
• Make a plan to mature the framework (implement additional controls) for a more mature security posture.
• Continuously test and monitor those controls and make changes any time your client’s environment or operations or the NIST 800-53 requirements change.

Acing the Audit With Apptega

You can also use Apptega to help your clients demonstrate NIST 800-53 compliance. There is no NIST 800-53 specific certification process, but your clients should be aware it’s part of the FISMA Certification and Accreditation (C&A) process. There are four key steps: planning and initiation, security certification, security accreditation, and continuous monitoring.

You can use Apptega to develop, manage, and report on framework implementation and the FISMA C&A process. It may also be helpful to show your clients how they can use the platform’s dashboard to get instant compliance scoring anytime. Clients who get familiar with the platform are likely to see compliance gaps more clearly and could even identify issues before attackers take advantage of them — and before they miss a key expectation for the C&A.

With the right support from your MSP, your clients can embark on their NIST 800-53 journey with confidence knowing the process can be developed, implemented, and managed all within a single tool — and with your expertise and support.