How to Use NIST 800-53 (Fifth Revision) to Reduce Cybersecurity Risks
The National Institute of Standards and Technology (NIST) created NIST 800-53 standards as guidance for agencies as they implement and mature information security systems that protect sensitive government information. These standards facilitate federal agencies’ requirements as outlined in the Federal Information Security Management Act (FISMA). NIST SP 800-53 outlines security controls agencies can adopt as part of their cybersecurity management best practices.
In this NIST 800-53 knowledgebase, we take a look at the history of the framework, examine what’s changed in the fifth revision of NIST SP 800-53, explore the guiding principles behind FISMA, overview who should be compliant with the framework, and share ideas about how you can crosswalk NIST 800-53 to other cybersecurity frameworks your organization uses to protect and secure your attack surface and sensitive data.
NIST 800-53 is a set of controls and standards agencies can use to build secure information security systems.Learn More
A cybersecurity framework management platform can help your build your NIST 800-53 framework and ensure compliance.Learn More
Agencies are expected to meet NIST 800-53 compliance standards as part of FISMA and building secure information security systems.Learn More
The purpose of NIST 800-53 is to provide standards that help federal agencies meet FISMA requirements for information security.Learn More
In addition to meeting government requirements for agencies, there are a number of benefits of adopting NIST 800-53 controls.Learn More
There are more than 1,000 NIST 800-53 controls divided among 20 control families for policy, supervision, processes, and more.Learn More
NIST 800-53 controls are not listed in order of importance or criticality. Instead, you can apply a NIST-recommended approach for control implementation.Learn More
There are three classification levels for NIST SP 800-53 controls: low-impact baseline, medium-impact baseline, and high-impact baseline.Learn More
Complying with security frameworks can be challenging, but these best practices can facilitate a successful implementation.Learn More
While you may know you need to be NIST 800-53 compliant, what about others? Learn more in on-demand webinars.Learn More
Have questions about NIST 800-53? Do you need help understanding the role of NIST 800-53 with FISMA? Check out this FAQ for answers.Learn More
Searching for tools, guidance, and assistance with NIST 800-53 compliance? You can find them in the NIST 800-53 Marketplace.Learn More
Apptega is the only solution you need to simplify management of all of your NIST 800-53 controls to ensure compliance.Learn More
NIST SP 800-53 is a set of standards that guide agencies in implementing and maturing their information security systems to protect sensitive government information. The National Institute of Standards and Technology (NIST) guides these standards, which span 20 control families and more than 1,000 base controls and control enhancements.
NIST first published these standards in 2005 to support initiatives to facilitate compliance to the Federal Information Security Management (FISMA) Act of 2004, which requires agencies to develop and maintain minimum standards to protect federal information and federal information systems. The NIST 800-53 controls make up a cybersecurity risk management framework that can meet the FISMA requirements.
All federal agencies must be NIST 800-53 compliant and they had one year after publication to do so. Since then, there have been updates to the standards. The most current version is the fifth revision. Interestingly, this revision includes the removal of the word “federal” to clarify these standards are not just for federal agencies, but may be applicable to other organizations and to encourage more widespread use of this framework. NIST released the final version in September 2020.
NIST SP 800-53 v5 consists of 20 control families, an increase from 18 in the previous version and more than 1,000 related controls. Here are some of the key changes in this fifth revision:
Need help getting started on your NIST 800-53 compliance journey or are you ready to mature your existing cybersecurity practices and want to add some of the framework controls to your program? Apptega can help you tackle all of your ongoing cybersecurity needs, including the selection, implementation, and scaling of a variety of risk management and cybersecurity frameworks. Take your compliance practices to the next level with Apptega today.
Choosing, implementing, and maturing a cybersecurity and risk management framework is challenging, but your journey to compliance doesn’t have to be as difficult or time-consuming as you might think. In this NIST 800-53 compliance guide, you can learn more about the history and background of the framework, why compliance is important, and how adopting a risk management framework is an important part of your overall cybersecurity posture.
By applying NIST 800-53 controls, you can address your risk management processes through a three-tiered approach—one that begins at the organizational level, then addresses your business process level and then helps you address risks at the information security level.
Use this compliance guide to help you better understand NIST 800-53 controls and control families and baseline allocations regarding system impacts. You can also learn more about how to prepare for a NIST assessment and how using a cybersecurity framework management solution can help you ensure compliance while giving you comprehensive insights into all of your controls, tasks, responsibilities, and more.
“With Apptega, we now have the visibility needed to know the true status of our program at any time.”
"I would absolutely recommend Apptega for anyone looking to elevate their compliance program from a static source to something that can be used to actively track and manage your compliance."
"I see products in the market that promise '30-day audits', but in reality that's not feasible or very sustainable. Great security and compliance is not a one-time event to check a box. Apptega is a long-term platform and partner that supports my entire business and our strategic goals."
All federal agencies must be compliant to NIST 800-53 to protect federal information and federal information systems. First published in 2005, all federal agencies were required to be compliant within one year. And while this is a requirement for federal agencies, the NIST 800-53 risk management framework can also be used by other organizations of all sizes and across diverse industries. The framework is closely related to NIST 800-171, which is required for organizations that work with the federal government and access controlled unclassified information (CUI).
Unlike federal agencies that must adhere to all of the standards, non-federal agencies may find it beneficial to adopt some (or all) of the controls represented in NIST 800-53 and then identify areas where additional controls can be added over time to mature your risk management practices. Recently, NIST updated NIST 800-53 to remove the reference to “federal” in regard to applicable agencies and organizations.
As a result of FISMA, NIST developed Federal Information Processing Standards (FIPS), which are requirements for all federal agencies. The purpose of NIST 800-53 is to establish controls to safeguard systems and protect the integrity, availability, and confidentiality of information while managing information security risks. While the controls were originally designed for federal agencies, they’re applicable to any organization that processes, stores, or transmits sensitive data.
By creating these standards, NIST hopes to streamline best practices and improve information security systems and processes used within the federal government and its related agencies.
Agencies can begin their NIST 800-53 compliance journey by first reviewing FIPS 199: Standards for Security Categorization of Federal Information and Information Systems. FIPS 199 is a tool agencies can use to better understand federal information and information system categorization so they can determine security objectives should threat actors compromise their information systems.
FIPS 199 outlines three core security objectives:
From FIPS 199, agencies can use FIPS 200 to determine minimum security requirements for the information and information systems. FIPS 200 outlines 17 areas of minimum security requirements that federal agencies must adhere to:
1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Certification, Accreditation, and Security Assessments
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response
10. Media Protection
11. Physical and Environmental Protection
13. Personnel Security
14. Risk Assessment
15. System and Services Acquisition
16. System and Communications Protection
17. System and Information Integrity
There are many benefits to becoming NIST 800-53 compliant and adopting a risk management framework. Again, it’s worth pointing out that while the framework was created to guide federal agencies, these standards can benefit a range of organizations across most industries. If your organization, processes, transmits, or stores sensitive or protected data, then you may find it beneficial to adopt these NIST controls.
Here are some of the benefits of NIST 800-53 compliance:
Managing your NIST 800-53 compliance journey has never been easier, thanks to the automation, support, templates, task packs, and more in Apptega’s cybersecurity management platform.
There are more than 1,000 base controls and control enhancements for NIST 800-53 that are dispersed across 20 control families. Each control grouping represents controls specific to each family topic.
The control families have both base controls and control enhancements directly related to the family. The purpose of control enhancements are to either strengthen a base control or add additional functionality.
Why would your organization need or want to adopt control enhancements? Well, that depends on the complexity of your environment and maturity of your information security system. Based on your risk assessment, you may find that your information security practices would be stronger if they were supported by the control enhancements, in addition to the base controls.
Earlier, we shared the 17 minimum security standards outlined in FIPS 200. NIST 800-53 control families align with those minimum requirements and also include additional recommendations for supply chain risk management, program management, and personally identifiable information (PII) processing and transparency.
In the NIST publication and others, you’ll often find the controls listed in alphabetical order with related controls numbered in ascending order. It’s important to note here that although commonly listed this way, it doesn’t mean you should start with the first control family and first base control and then work forward in a progression or specific order. Instead, your organization should evaluate which controls are most applicable for your specific needs, goals, and critical systems and data. Remember, federal agencies must meet all controls, regardless of family or positioning.
Here is a quick look at the 20 control families:
1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Assessment, Authorization, and Monitoring
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response
10. Media Protection
11. Physical and Environmental Protection
13. Program Management
14. Personnel Security
15. PII Processing and Transparency
16. Risk Assessment
17. System and Services Acquisition
18. System and Communications Protection
19. System and Information Integrity
20. Supply Chain Risk Management
NIST 800-53 controls are not listed in a progressive order, which can make it challenging for some organizations when it comes to creating an implementation plan. And, if you’re a federal agency, you can’t cherry pick which controls you want to adopt. NIST 800-53 compliance means you’ll need to implement them all. With more than 1,000 controls, where do you begin?
NIST offers guidance on three approaches for control implementation. Each implementation approach defines the scope and applicability of each control, the control’s shared nature and inheritability, as well as outlining who is responsible for each control’s development, implementation, assessment, and authorization.
Each of the three approaches provides organizations with objectives and focus so you can understand which controls you should select and implement in the most effective manner so you can ensure you’re meeting security and privacy requirements. Consider aligning your implementation approach with your system development lifecycle.
1. Common control implementation
2. System-specific implementation
3. Hybrid implementation
In addition to the control family groupings and implementation approaches, all of the NIST 800-53 controls are differentiated by a classification, which is associated with potential impact level. These classifications align with FIPS 199 security objectives discussed earlier: confidentiality, integrity, and availability.
Here’s a quick look at each level and what they mean:
The potential impacts related to all three of the security objectives (confidentiality, integrity and availability) are low. The potential impact is considered to be low if the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on operations, assets, or individuals.
The potential impact related to at least one of the three security objectives (confidentiality, integrity and availability) is moderate, and none of the potential impacts are greater than moderate. The potential impact is considered to be moderate if the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on operations, assets, or individuals.
The potential impact related to at least one of the security objectives (confidentiality, integrity and availability) is high. The potential impact is considered to be high if the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic effect on operations, assets, or individuals.
NIST 800-53 controls define best practices for implementing and maturing your information security systems to ensure availability and security of sensitive data, but there are some other recommendations you can also implement to protect and secure your information security systems.
One way to do this us by taking a structured approach to risk management. It looks like this:
1. Categorize your information system based on responsibilities, the environment, and roles
2. Determine which security controls you need based on your security categorization from FIPS 199
3. Implement the security controls
4. Document how your security controls are implemented throughout your systems
5. Assess if the controls are functioning properly
6. Identify gaps or areas of weakness
7. Monitor your controls as your environment changes and evolves
8. Test your controls often for effectiveness and make adjustments as needed
Here are a few other ideas to consider and questions to ask:
Unlike some other cybersecurity frameworks, you don’t have to complete a formal certification process to be NIST 800-53 compliant; however, compliance with this framework is part of the FISMA Certification and Accreditation (C&A) process. Also, it’s important to remember that if you’re a federal agency, you’re expected to be able to prove you’re NIST 800-53 compliant and that the controls you’ve adopted based on the framework's standards function as intended.
As with most compliance metrics, documentation is key, especially for a compliance assessment. Whether you’re subject to a formal assessment or are ready to conduct an internal audit to review framework effectiveness, here are a few steps you can take for success.
Need help reviewing your NIST 800-53 controls?
While there isn’t a specific certification, becoming NIST 800-53 compliant is a component of FISMA certification.
As part of the Federal Information Security Management Act of 2002, all federal agencies must develop, implement, and document a risk management and cybersecurity program that protects federal information and federal information security systems. NIST’s Special Publication series 800 provides agencies with guidelines to meet FISMA requirements. Additionally, If you are a state agency that manages federal programs, for example, unemployment insurance, or if you’re a contractor or subcontractor that wants to do business with a federal agency, you should be FISMA compliant.
The first step in becoming FISMA compliant is to select, implement, and test security controls outlined in the NIST SP 800 series, as well as FIPS 199 and FIPS 200. You’ll also need to complete risk assessments, categorize your risks, complete an inventory of all of your information systems, how you use them and where they are located, and develop a System Security Plan (SSP).
Once you’ve successfully implemented these steps, you’ll need to conduct an annual security review that demonstrates your information security systems are FISMA compliant.
There is also an official FISMA Certification and Accreditation (C&A) process. Based on guidance from the FISMA Center and outlined in NIST SP 800-37, the C&A processes is in four phases:
1. Initiation: This phase includes preparation, notification and resource identification, and system security plan analysis with updates and acceptance.
2. Security Certification: This phase includes security control assessments and security certification documentation to demonstrate your controls are implemented correctly, functioning as intended, and producing the expected outcome. You’ll also need to address deficiencies and correct issues in this phase.
3. Security Accreditation: This phase is where the authorizing official makes a security accreditation decision, which, if successful, will include approval to operate (Authority to Operate) the information system (or with specific terms and conditions). If not successful, there will be a denial of operation.
4. Continuous Monitoring: This phase includes ongoing configuration management and control, continuous security monitoring, and status reports and documentation for ongoing oversight and should be completed throughout the information system’s lifecycle.
If you successfully complete the C&A and are granted an Authority to Operate, it is valid for three years, at which time you must undergo steps for renewal.
To learn more about the FISMA C&A process, visit https://www.fismacenter.com/SP800-37-final.pdf.
There’s never been a more simplified way to manage your NIST 800-53 compliance journey—and crosswalk it with other controls and frameworks your organization uses today. With Apptega’s Intelligent Framework Mapping Tool, Harmony, you can map your frameworks with unlimited combinations.
Here are some other key Harmony features:
NIST 800-53 standards are applicable to all federal agencies and indirectly, through NIST 800-171, to contractors and other organizations that do business with the federal government and process, store, or transmit sensitive data. These standards help agencies design, implement, and mature their information security systems. This blog explores how the NIST risk management framework and NIST cybersecurity framework build stronger information security programs and the role NIST 800-53 plays in information security.Read More
If you’re a federal agency, you’ll need to be compliant to NIST 800-53 standards, but is this the only framework you need? Depending on the size, complexity, and compliance requirements for your organization, you may benefit from adopting other cybersecurity frameworks as well. So which is best for your organization? Do you need ISO? PCI DSS? CMMC? Something else? This blog explores some common frameworks and what they do to help you have a better understanding of frameworks that can benefit your today and support scalability for tomorrow.Read More
There are more than 20 major cybersecurity framework on the market today. You may already be using one because of your industry compliance standards. But are there others that can help you? Are you already successfully using controls for one framework that apply to another? Not sure which to choose or how to begin? In this webinar, you can explore:
• Common cybersecurity frameworks
• How organizations use these frameworks
• Where there are commonalities between frameworks
• What differentiates each framework from others
• How to manage the frameworks you implement
Whether you’re doing an internal audit or are subject to a formal review, preparing for—and passing–an audit is often time-consuming, document-laden, and stressful. But it doesn’t have to be. In this webinar, hear from a panel of experts who have successfully tackled and passed a variety of audit types across a spectrum of industries. Watch now to learn:
• Best practices for audit preparation
• Tips from industry pros
• Common failures in the audit process
• How to mitigate risk for audit success
• How to gather you need to support auditor requests
The NIST 800-53 Marketplace in CyberXchange is mapped to all the controls defined in the NIST 800-53 framework. For each gap or compliance issue, you can find solutions that are mapped to your specific needs. The best part? No more guesswork. The research is already done for you. Join thousands of CISOs, CIOs and other cyber professionals in finding perfect-fit solutions.
The most current version of NIST 800-53 is Revision 5, which NIST released on Sept. 23, 2020. This version reflects an increase in control families—from 18 to 20—and even more controls, which now exceed more than 1,000. NIST adapted this version to be more in line with today’s threat landscape and adds new components, including new state-of-the-art practice controls and integrated supply chain risk management. To see the most recent version, visit https://csrc.nist.gov/News/2020/sp-800-53-revision-5-published.
No. NIST 800-53 and NIST 800-171 are not the same, but they do serve similar, closely related purposes. Both are standards and controls to protect sensitive information. NIST 800-53 is guidance for federal agencies, which are required to be compliant. NIST 800-171 standards are applicable to non-federal agencies that work with federal agencies and process, transmit, or store controlled unclassified information (CUI). NIST 800-171 compliance, as well as compliance to the new Cybersecurity Maturity Model Certification (CMMC), is required for all RFPs and RFIs.
NIST 800-53 compliance resources are in the NIST 800-53 Marketplace in CyberXchange. In the marketplace, you can quickly access products and services to help you with NIST 800-53 compliance, including access to consultants with expertise in your specific compliance areas.
Improve your NIST 800-53 compliance journey with Apptega by streamlining and automating tasks, getting insight into all of your controls, and simplifying crosswalking of multiple cybersecurity frameworks.
With Apptega, you can develop, manage, and report on your NIST 800-53 framework, all from a single, easy-to-understand dashboard that gives you insight into where you have gaps and weaknesses so you know what to fix before an assessment and to always stay ahead of attackers wanting to exploit your vulnerabilities and put your sensitive data at risk.
Apptega supports all of the 20 control families in NIST 800-53. It can help you meet all of your FISMA requirements and help you mature your information security program to keep sensitive data safe.
Here are some of the key features of Apptega: