What is NIST 800-53 Rev 5 Update? NIST 800-53 Rev 5 framework & Control Families Summary Description

NIST is the abbreviation of the National Institute of Standards and Technology. Talking about NIST, it is a non-regulatory agency of the United States Department of Commerce whose job is to improve measurements and standards.

What is NIST Cyber Security Framework ?

NIST was founded in 1901 and its history lies in developing measurements, metrics, and standards. Previously known as the National Bureau of Standards, NIST mission is to promote measurement standards with proper maintenance.

NIST is the abbreviation of the National Institute of Standards and Technology.

Sounds so simple.

But what does NIST have to do with your business? Let us try to understand this in subsequent sections.

What about Framework? Framework is a structure to support building something useful.

So, riding high on the idea of cybersecurity to prevent, detect and respond to cyber incidents, NIST built a policy framework (set of best practice guidelines) for better management of cybersecurity-related risks.


On February 12, 2013, President Obama signed Executive Order 13636,
On February 12, 2013, President Obama signed Executive Order 13636

It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber-environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”

— President Barack Obama, Executive Order 13636, Feb. 12, 2013

In short, the NIST CSF paves way for organization national security posture to tackle risk management by being proactive rather than employing reactive bent of mind.

What are the five elements of the NIST Cybersecurity framework?

NIST cyber security framework has 5 main functions.

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

What is NIST SP 800-53?

NIST 800-53 is the integral part of NIST cybersecurity compliance framework. NIST SP 800-53 describes an invaluable checklist of cybersecurity guidelines and security controls for security and privacy needs of any federal organization (aside from national security agencies) to maintain.

While walking the tightrope of confidentiality, integrity, and availability of data, adhering to the NIST SP 800-53 not only helps organizations meet compliance requirements like those found in regulations like:

  1. PCI DSS
  2. GDPR
  3. FISMA
  4. HIPAA
  5. DFARS
  6. FedRAMP
  7. CJIS
  8. FedRAMP+
  9. FedRAMP DoD

but it can also help shore up security immeasurably.

NIST SP 800-53 stands for NIST Special Publication 800-53 and is an integral part of NIST’s Cybersecurity Framework.

As there is a massive rise in threat landscape and cyber-attacks on government systems, the security of important and sensitive information is extremely crucial. And this is possible by securing your overall infrastructure.

Complying by NIST SP 800 series standards improve and maintain their information security. For risk management also, NIST SP 800-53 has been fulfilling the objective of protecting organizations.

What is the purpose of NIST SP 800-53?

The main purpose of NIST 800-53 controls is to improve an organization’s risk management system and help build a stronger foundation for creating a better risk management strategy.

In other words, NIST SP 800–53 (abbreviated form of National Institute of Standards and Technology Special Publication 800-53) database defines the guidelines of security controls and associated assessment procedures, to architect, implement and manage information security systems, and corresponding data.

With a standardized NIST 800 53 Risk Management Framework, NIST 800 53 aims at solid understanding to:

Identify

and manage systems, assets, personnel, devices and data etc. by implementing a holistic and contextual risk assessment and management strategy.

Protect

assets with comprehensive risk management framework.

Detect

security events and anomalous activity occurring on information systems and activities through ‘Security continuous monitoring’.

Respond

to security incidents by processes and procedures. Key elements are:

  • Incident Response planning
  • Communications
  • Analysis
  • Threat Mitigation
  • Recover and take appropriate security measures or actions

Recover

and restore systems or assets affected by attack/incidents with the help of orchestrated recovery planning and post-incident recovery strategies updates.

How many controls are there in NIST 800-53?

NIST SP 800-53 controls, in tandem with the risk management framework outlined in 800-37, are divided in 3 classes, spread across 18 different control families.

NIST SP 800-53 Families Full Control List

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Contingency Planning
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical and Environmental Protection
  12. Planning
  13. Program Management
  14. Risk Assessment
  15. Security Assessment and Authorization
  16. System and Communications Protection
  17. System and Information Integrity
  18. System and Services Acquisition 

NIST SP 800-53 Control Families Description

NIST SP 800-53 Access Control

Access control is a way to keep people from going to places they aren’t supposed to go. 

For example, you have a house and you have a door to your house. You can lock the door so that only you can get in. 

That’s access control. 

NIST Access Control defines policies and methods to control a business IT ecosystem with appropriate level of access. 

For example, you have a computer and you want to make sure that only people who are supposed to be using it can use it. So you can set up access control on the computer so that only people who are supposed to be using it can use it.

What are the 3 types of access control?

  1. Discretionary access controls (DAC)
  2. Mandatory access controls (MAC)
  3. Role-based access control (RBAC)

The Access Control family throws light on the design, implementation and operation of access controls for a business IT environment like:

  • Router network access control
  • Firewalls
  • Computers & servers and
  • All devices on the network.

Access control family also helps in understanding configuration of:

  • access control security policy
  • role-based access controls (rbac)
  • mandatory or discretionary access controls
  • privileged access controls

NIST 800-53 Audit and Accountability (AU)

Titled Audit Accountability Procedures, NIST 800-53 Audit and Accountability family of controls provides procedures of event logging and auditing of a business’s audits and audit processing records.

Key Questions to ask for NIST 800-53 Audit and Accountability (AU)

  • How do you process the content of audit records?
  • How do you analyze  and report?
  • How’s record retention? 
  • How do you construct content for audits records? 
  • Are assessments and artifacts included?
  • What about storage of audit documents?
  • Where do you store the audit documents?
  • Do you use any encryption tools to safeguard information of audit records?
  • How do you validate access identities? 
  • Do you use MFA, password security or biometrics?
  • Do you have any defined retention policy?
  • What is the audit storage capacity?

NIST 800-53 Awareness and Training (AT)

NIST 800-53 Awareness and Training family of controls provides guidance on how to provide foundational and technical security awareness training to users.

The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event

Source

Which NIST publication discusses the need for security awareness?

NIST 800-53 Awareness and Training family of controls imparts industry and role based security training.

The assessment, identifying and addressing of internal security and privacy issues with employees activities is much more feasible today..

Quite viable to assess internal security-and-privacy awareness of system users, it helps in identifying threats to privacy or system security complying with organizational policies and procedures.

Key questions to ask during NIST 800-53 Awareness and Training (AT)

  • What type of security awareness training is provided in your organization?
  • How frequent do you update or overhaul your training policies?
  • How do you communicate security awareness programs, if any, with your users or employees?
  • What are the constituents of your security awareness materials?
  • What is the mode of training access for users or workforce?
  • Do you have any notification system set up to inform your users about potential security events or breach?
  • Do you continuously monitor the alert system in case there is any security issue?
  • What about follow ups during/after security awareness training sessions?

Top 12 security awareness training topics for employees

Auditors expect training on security awareness topics like:

  1. Phishing Email scams
  2. Data management and privacy
  3. Malware
  4. Social networking awareness
  5. Social Engineering
  6. BYOD (Bring Your Own Device)
  7. Password Security
  8. Removable media
  9. Safe internet habit
  10. Physical security and environmental controls
  11. Clean desk
  12. Other cybercrime tactics

NIST 800-53 configuration management

What is NIST 800-53 configuration management?

NIST 800-53 configuration management control lays out guidelines for security configuration policy and procedures of software and devices on the network.

With an effective and security focused NIST configuration management plan, Configuration Management Family controls create:

  • A configuration policy,
  • A Baseline configuration of the system for future security and privacy control implementations etc.
  • And manage unauthorized configuration or devices.

Examples of the Configuration Management family are:

  • Authorized software policies
  • Configuration change control

Key NIST 800-53 Configuration Management questions to ask

  • How frequently configuration management documents are analyzed?
  • Is Privacy included?
  • What about baseline configurations?
  • Are baseline configurations set up for every single server or device on the network?
  • Is baseline configuration automated?
  • Do you record previous settings?
  • What is the approach towards uninstallation of software?
  • Is there a Configuration Control Board in your company?
  • Are there any Cryptography settings?
  • Do you maintain an inventory?
  • Do you maintain data maps?
Scroll to Top