What is NIST 800-53 Rev 5 Update? NIST 800-53 Rev 5 framework & Control Families Summary Description

NIst-800-53-control-families

NIST is the abbreviation of the National Institute of Standards and Technology. Talking about NIST, it is a non-regulatory agency of the United States Department of Commerce whose job is to improve measurements and standards.

What is NIST Cyber Security Framework ?

NIST was founded in 1901 and its history lies in developing measurements, metrics, and standards. Previously known as the National Bureau of Standards, NIST mission is to promote measurement standards with proper maintenance.

NIST is the abbreviation of the National Institute of Standards and Technology.

Sounds so simple.

But what does NIST have to do with your business? Let us try to understand this in subsequent sections.

What about Framework? Framework is a structure to support building something useful.

So, riding high on the idea of cybersecurity to prevent, detect and respond to cyber incidents, NIST built a policy framework (set of best practice guidelines) for better management of cybersecurity-related risks.


On February 12, 2013, President Obama signed Executive Order 13636,
On February 12, 2013, President Obama signed Executive Order 13636

It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber-environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”

— President Barack Obama, Executive Order 13636, Feb. 12, 2013

In short, the NIST CSF paves way for organization national security posture to tackle risk management by being proactive rather than employing reactive bent of mind.

What are the five elements of the NIST Cybersecurity framework?

NIST cyber security framework has 5 main functions.

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

What is NIST SP 800-53?

NIST SP 800-53, also known as “Security and Privacy Controls for Federal Information Systems and Organizations,” is a publication of the National Institute of Standards and Technology (NIST). It provides guidelines for protecting the confidentiality, integrity, and availability of federal information and information systems.

NIST 800-53 is the integral part of NIST cybersecurity compliance framework and is also known as “Security and Privacy Controls for Federal Information Systems and Organizations,” is a publication of the National Institute of Standards and Technology (NIST).

NIST SP 800-53 has an invaluable checklist of cybersecurity guidelines and security controls for security and privacy needs of any federal organization (aside from national security agencies) to maintain.

While walking the tightrope of confidentiality, integrity, and availability of data, adhering to the NIST SP 800-53 not only helps organizations meet compliance requirements like those found in regulations like:

  1. PCI DSS
  2. GDPR
  3. FISMA
  4. HIPAA
  5. DFARS
  6. FedRAMP
  7. CJIS
  8. FedRAMP+
  9. FedRAMP DoD

but it can also help shore up security immeasurably.

NIST SP 800-53 stands for NIST Special Publication 800-53 and is an integral part of NIST’s Cybersecurity Framework.

Protects employees and the corporate network from web-based malicious threats

As there is a massive rise in threat landscape and cyber-attacks on government systems, the security of important and sensitive information is extremely crucial. And this is possible by securing your overall infrastructure.

Complying by NIST SP 800 series standards improve and maintain their information security. For risk management also, NIST SP 800-53 has been fulfilling the objective of protecting organizations.

Who does NIST 800-53 apply to?

NIST SP 800-53 applies to all US federal agencies and organizations that handle sensitive information, including executive departments, independent agencies, and other organizations within the federal government, except those related to national security. It may also apply to third-party vendors, contractors and other entities that handle sensitive information on behalf of the federal government.

The guidelines in NIST SP 800-53 are meant to be flexible and adaptable, so they can be applied to a wide range of information systems and environments. They provide a comprehensive set of security and privacy controls that can be tailored to meet the specific needs of an organization.

NIST 800-53 Controls are for every business

If you want to build a strong security department or need a major upgrade to your security posture, the NIST 800-53 cybersecurity framework is worth considering. This framework provides guidance on how to protect information systems and data, and can help you develop a comprehensive security program.

What is the purpose of NIST SP 800-53?

The main purpose of NIST 800-53 controls is to improve an organization’s risk management system and help build a stronger foundation for creating a better risk management strategy.

In other words, NIST SP 800–53 (abbreviated form of National Institute of Standards and Technology Special Publication 800-53) database defines the guidelines of security controls and associated assessment procedures, to architect, implement and manage information security systems, and corresponding data.

With a standardized NIST 800 53 Risk Management Framework, NIST 800 53 aims at solid understanding to:

Identify

and manage systems, assets, personnel, devices and data etc. by implementing a holistic and contextual risk assessment and management strategy.

Protect

assets with comprehensive risk management framework.

Detect

security events and anomalous activity occurring on information systems and activities through ‘Security continuous monitoring’.

Respond

to security incidents by processes and procedures. Key elements are:

  • Incident Response planning
  • Communications
  • Analysis
  • Threat Mitigation
  • Recover and take appropriate security measures or actions

Recover

and restore systems or assets affected by attack/incidents with the help of orchestrated recovery planning and post-incident recovery strategies updates.

How many controls are there in NIST 800-53?

NIST SP 800-53 provides a list of 20 control families, in tandem with the risk management framework outlined in 800-37, and are divided in 3 classes.

NIST SP 800-53 Families Full Control List

  1. The Access Control family
  2. The Audit and Accountability family of controls
  3. The Awareness and Training family of controls
  4. Assessment, Authorization and Monitoring Control Family
  5. The Configuration Management family
  6. Contingency Planning
  7. Identification and Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Personnel Security
  12. Physical and Environmental Protection
  13. Planning
  14. Program Management
  15. Risk Assessment
  16. Security Assessment and Authorization
  17. System and Communications Protection
  18. System and Information Integrity
  19. System and Services Acquisition
  20. The Supply Chain Risk Management family of controls 

NIST SP 800-53 Control Families Description

NIST SP 800-53 Access Control

Access control is a way to keep people from going to places they aren’t supposed to go. 

For example, you have a house and you have a door to your house. You can lock the door so that only you can get in. 

That’s access control. 

NIST Access Control defines policies and methods to control a business IT ecosystem with appropriate level of access. 

For example, you have a computer and you want to make sure that only people who are supposed to be using it can use it. So you can set up access control on the computer so that only people who are supposed to be using it can use it.

What are the 3 types of access control?

  1. Discretionary access controls (DAC)
  2. Mandatory access controls (MAC)
  3. Role-based access control (RBAC)

The Access Control family throws light on the design, implementation and operation of access controls for a business IT environment like:

  • Router network access control
  • Firewalls
  • Computers & servers and
  • All devices on the network.

Access control family also helps in understanding configuration of:

  • access control security policy
  • role-based access controls (rbac)
  • mandatory or discretionary access controls
  • privileged access controls

NIST 800-53 Audit and Accountability (AU)

Titled Audit Accountability Procedures, NIST 800-53 Audit and Accountability family of controls provides procedures of event logging and auditing of a business’s audits and audit processing records.

The Audit and Accountability family of controls in NIST SP 800-53 is designed to ensure that organizations can monitor, record, and review the actions of users and systems within their information systems. These controls are essential for detecting and responding to security incidents, as well as for maintaining the integrity and confidentiality of information.

There are several key controls within the Audit and Accountability family, including:

  1. AU-1: Audit and Accountability Policy and Procedures: This control requires organizations to establish and maintain policies and procedures for auditing and accountability. These policies should cover the types of events that will be audited, the methods used to capture and store audit records, and the processes for reviewing and analyzing audit data.
  2. AU-2: Audit Record Generation: This control requires organizations to establish and maintain the capability to generate audit records for events that occur within their information systems. The audit records should include sufficient information to allow for the reconstruction of events and the identification of any security-related events.
  3. AU-3: Audit Record Content: This control requires organizations to ensure that their audit records include sufficient information to support the reconstruction of events and the identification of any security-related events. This may include details about the user or system responsible for the event, the date and time of the event, and the type of event that occurred.
  4. AU-4: Time Stamps: This control requires organizations to establish and maintain the capability to accurately time stamp audit records. This is important for reconstructing events and for determining the order in which events occurred.
  5. AU-5: Protected Audit Information: This control requires organizations to protect audit information from unauthorized access or modification. This may include implementing measures such as encryption, access controls, and backup and recovery processes.

Key Questions to ask for NIST 800-53 Audit and Accountability (AU)

  • How do you process the content of audit records?
  • How do you analyze  and report?
  • How’s record retention? 
  • How do you construct content for audits records? 
  • Are assessments and artifacts included?
  • What about storage of audit documents?
  • Where do you store the audit documents?
  • Do you use any encryption tools to safeguard information of audit records?
  • How do you validate access identities? 
  • Do you use MFA, password security or biometrics?
  • Do you have any defined retention policy?
  • What is the audit storage capacity?

NIST 800-53 Awareness and Training (AT)

NIST 800-53 Awareness and Training family of controls provides guidance on how to provide foundational and technical security awareness training to users.

The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event

Source

Which NIST publication discusses the need for security awareness?

NIST 800-53 Awareness and Training family of controls imparts industry and role based security training.

The assessment, identifying and addressing of internal security and privacy issues with employees activities is much more feasible today..

Quite viable to assess internal security-and-privacy awareness of system users, it helps in identifying threats to privacy or system security complying with organizational policies and procedures.

Key questions to ask during NIST 800-53 Awareness and Training (AT)

  • What type of security awareness training is provided in your organization?
  • How frequent do you update or overhaul your training policies?
  • How do you communicate security awareness programs, if any, with your users or employees?
  • What are the constituents of your security awareness materials?
  • What is the mode of training access for users or workforce?
  • Do you have any notification system set up to inform your users about potential security events or breach?
  • Do you continuously monitor the alert system in case there is any security issue?
  • What about follow ups during/after security awareness training sessions?

Top 12 security awareness training topics for employees

Auditors expect training on security awareness topics like:

  1. Phishing Email scams
  2. Data management and privacy
  3. Malware
  4. Social networking awareness
  5. Social Engineering
  6. BYOD (Bring Your Own Device)
  7. Password Security
  8. Removable media
  9. Safe internet habit
  10. Physical security and environmental controls
  11. Clean desk
  12. Other cybercrime tactics

NIST 800-53 configuration management

What is NIST 800-53 configuration management?

NIST 800-53 configuration management control lays out guidelines for security configuration policy and procedures of software and devices on the network.

With an effective and security focused NIST configuration management plan, Configuration Management Family controls create:

  • A configuration policy,
  • A Baseline configuration of the system for future security and privacy control implementations etc.
  • And manage unauthorized configuration or devices.

Examples of the Configuration Management family are:

  • Authorized software policies
  • Configuration change control

Key NIST 800-53 Configuration Management questions to ask

  • How frequently configuration management documents are analyzed?
  • Is Privacy included?
  • What about baseline configurations?
  • Are baseline configurations set up for every single server or device on the network?
  • Is baseline configuration automated?
  • Do you record previous settings?
  • What is the approach towards uninstallation of software?
  • Is there a Configuration Control Board in your company?
  • Are there any Cryptography settings?
  • Do you maintain an inventory?
  • Do you maintain data maps?

About The Author

Scroll to Top