NIST 800-53

NIST 800-53 is a security and privacy control framework for information systems and organizations. More formally, NIST 800-53 is known as The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, 5th revision. The NIST 800-53 framework aims to help protect organizational operations, personnel, and assets from a large and complex set of threats and risks.

The controls specified by NIST 800-53 are flexible, customizable, and implemented as part of an organization-wide process to identify, manage, and ultimately reduce risk. The controls address diverse requirements derived from a variety of sources and guidelines. In addition, the controls address security and privacy from both a functional perspective and one of assurance which helps to ensure that information technology products are trusted. Note that NIST 800-53 generally encompasses all of the requirements of ISO framework standard 27002. 

The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Risk Management Framework (DIARMF) specify and utilize the NIST 800-53 framework. Consequently, US federal government contractors must meet the NIST 800-53 requirements, and NIST 800-53 is mandatory for federal information systems and the organizations and agencies that use them. Additionally, organizations that work with the federal government must comply with NIST 800-53. The NIST 800-153 framework is also helpful for any organization to manage and develop its information security practices. These organizations can include state and local governments and private companies, from SMBs to enterprises.

In a closely related framework regulation, NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is the best guidance for government contractors to secure their systems.  For these reasons, NIST 800-53 is generally accepted as best practice in the United States for private and public entities.

Introduction, Fundamentals, and Control Specifications

NIST SP 800-53 outlines controls to support the development of secure federal information systems. These controls are the operational, technical, and management standards and guidelines used by information systems to maintain confidentiality, integrity, and availability. NIST adopts a multi-layered approach to risk management through control compliance. Much of the specifications shown below are excerpted verbatim from the NIST 800-171 specification.

Based on impact, controls are separated into three classes: low, moderate, and high. The controls are further split into 18 security control families allowing organizations to select only the controls most applicable to their requirements. 

Chapter 1 – Introduction. 

This section overviews the purpose and applicability of the NIST SP 800-53 Framework, the target audience, organizational responsibilities, and more. The NIST 800-53 publication establishes controls for systems and organizations. These controls can be implemented within any organization or system. However, as noted earlier, these controls are mandatory for federal information systems. 

NIST 800-153 is designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974, OMB policies, and designated Federal Information Processing Standards. NIST 800-153 helps organizations provide a complete catalog of security and privacy controls to meet current and future protection needs to be based on changing threats, vulnerabilities, requirements, and technologies. The publication also provides a common lexicon that supports discussing security, privacy, and risk management concepts.

Chapter 2 – Fundamentals. 

This section of NIST 800-153 overviews the requirements and controls, control structure and organization, implementation approaches, security and privacy controls, trustworthiness, and assurance. The section covers the fundamental concepts presented to provide context to the overall framework. Concepts include:

• Security and privacy controls, including the relationship between requirements and controls 
• The structure of controls 
• How controls are organized in the consolidated control catalog 
• The different control implementation approaches for information systems and organizations 
• The relationship between security and privacy controls
• The importance of the concepts of trustworthiness and assurance for security and privacy controls
• The effects of the controls on achieving trustworthy, secure, and resilient systems

Chapter 3 – Detailed Control Specifications. 

The security and privacy controls provide protective measures for systems, organizations, and individuals. In addition, the controls facilitate risk management and compliance with applicable federal laws, executive orders, directives, regulations, policies, and standards. Controls included are:

Access Control. Access control policy and procedures address the controls in access management for systems and organizations. The risk management strategy is essential in establishing such policies and procedures. Policies and processes contribute to security and privacy assurance, and security and privacy programs should collaborate on developing access control policies and procedures. 

Awareness and Training. Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel has authorized access, and work environments. The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and respond to suspected incidents. In addition, the content addresses the need for operations security and the handling of personally identifiable information. Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying login screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. 

Literacy training after the initial training is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. 

Regularly updating literacy training and awareness content helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. 

Audit and accountability. Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. 

Assessment, Authorization, and Monitoring. Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. 

Configuration Management. Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is essential in establishing such policies and procedures. In addition, policies and practices contribute to security and privacy assurance. 

Contingency Planning.  Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. 

Identification and Authentication.  Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. Security and privacy programs collaborate on developing identification and authentication policy and procedures. 

Incident Response. Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. 

Maintenance. Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. 

Media Protection. Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. 

Physical and Environmental Protection. Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. 

Planning. Planning policy and procedures for the controls in the PL family implemented within systems and organizations. 

Program Management. Many regulations require federal agencies to develop, implement, and oversee organization-wide information security and privacy programs. These security and privacy programs help ensure the confidentiality, integrity, and availability of federal information processed, stored, and transmitted by federal information systems and protect individual privacy. The program management (PM) controls described in this section are implemented at the organization level and not directed at personal information systems.

The PM controls have been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards. Organizations document program management controls in the information security and privacy program plans. The organization-wide information security program and privacy plan supplement system security and privacy plans developed for organizational information systems. The system security and privacy plans for the individual information systems and the information security and privacy program plans cover the totality of security and privacy controls employed by the organization.

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or compilations of documents. An information security program plan documents program management and common controls implementation details. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the plan’s intent and determine the risk to be incurred if the plan is implemented as intended. 

Updates to information security program plans include organizational changes and problems identified during plan implementation or control assessments. Program management controls may be implemented at the organization level or the mission or business process level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular system.

Together, the individual system security plans and the organization-wide information security program plan provide complete coverage for the security controls employed within the organization. Common controls available for inheritance by organizational systems are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which different security plans contain descriptions of common controls. Events that may precipitate an update to the information security program plan include, but are not limited to, organization-wide assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines.

Personnel Security.  Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. 

Personally Identifiable Information Processing and Transparency. Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. 

Risk Assessment. Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is essential in establishing such policies and procedures. Policies and processes contribute to security and privacy assurance. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. 

System and Services Acquisition. System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. 

System and Communications Protection. System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. 

System and Information Integrity. System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. 

Supply Chain Risk Management. Supply chain risk management policy and procedures address the controls in the SR family and supply chain-related controls in other families that are implemented within systems and organizations. 

To learn more, please reference the complete NIST 800-53 specification http://csrc.nist.gov/publications/PubsSPs.html

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.