The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the US Department of Commerce that develops and issues guidelines to help US federal institutions remain compliant with the Federal Information Security Modernization Act (2014).
NIST issued a Special Publication called NIST SP 800-53 as part of its Cybersecurity Framework. It provides recommendations for how federal information systems, and the data held on them, can be managed securely. It covers 18 risk topics in accordance with the Federal Information Processing Standard 200. It is a living document that is revised and updated from time to time according to NIST’s ongoing analysis of security risk.
Why is NIST SP 800-53 important?
To protect the confidentiality, integrity and availability of federal information systems, NIST SP 800-53 encourages organisations to map their assets by categorizing them into low, medium, and high severity. It also gives each category baseline security and privacy controls as well as procedures for assessing and managing security risk. Through this unified framework, NIST SP 800-53 offers federal agencies the opportunity to strengthen their security and streamline a security risk management approach across the US government, excluding national security agencies. Organisations may ascertain their compliance with this special publication through continuous audits.
What does the NIST SP 800-53 cover?
There have been five revisions to the original SP 800-53, with the latest revision released in September 2020. It is in two parts: NIST SP 800-53 A provides customisable procedures to help organisations conduct security assessments and assess risk. NIST SP 800-53 B provides baseline controls that all organisations must apply to address security risks.
SP 800-53 covers the following 18 areas as “control families” where baselines are provided based on risk severity:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical and Environmental Protection
- Planning
- Program Management
- Risk Assessment
- Security Assessment and Authorization
- System and Communications Protection
- System and Information Integrity
- System and Services Acquisition