NIST SP 800-53
NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 and to help with managing cost effective programs to protect their information and information systems.
Two related documents are 800-53A and 800-53B which provide guidance, and baselines based on 800-53.
Purpose
NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in information system security, and on ITL's activity with industry, government, and academic organizations.Specifically, NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 20 areas including access control, incident response, business continuity, and disaster recovery.
A key part of the assessment and authorization process for federal information systems is selecting and implementing a subset of the controls from the Security Control Catalog. These controls are the management, operational, and technical safeguards prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. To implement the needed safeguards or controls, agencies must first determine the security category of their information systems in accordance with the provisions of FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems.” The security categorization of the information system determines the baseline collection of controls that must be implemented and monitored. Agencies have the ability to adjust these controls and tailor them to fit more closely with their organizational goals or environments.
- Originally intended for the U.S. government, NIST SP 800-53 expanded to a framework for security changes globally.
Compliance
Agencies are expected to be compliant with NIST security standards and guidelines within one year of the publication date unless otherwise directed. Information systems that are under development are expected to be compliant upon deployment.
Collaboration with the Cybersecurity Framework
CSF and 800-53 covered each others weaknesses with CSF having more of a top-down decision-making process and NIST SP 800-53 having a bottom-up approach. The combination provided an easier approach for developers to create a new platform and software. Usage of Extensible Markup Language helped ease the combination of CSF and 800-53 and eventually led to the creation of Baseline Tailor to help use the two security catalogs together.The two relied on five primary functions:
- ID - Identify
- PR - Protect
- DE - Detect
- RS - Respond
- RC - Recover
Control Baseline Levels
- In the event of a security breach that resulted in minor risk, the system deploys 149 different controls and enhancements that adds security ranging from Multi-factor authentication to basic security policies.
- In the event of a security breach that resulted in a moderate risk, the system deploys 138-287 different controls and enhancement to help combat against a more threatening attack through robust systems and advanced measures to hide important information.
- In the event of a security breach that resulted and reached a severe risk, the system deploys 370 different controls and enhancements to defend against even the most volatile attacks. Results in the maximum security and best systems and measures to prevent further damage to the system.
Revisions
Initial release
NIST Special Publication 800-53 was initially released in February 2005 as "Recommended Security Controls for Federal Information Systems."First revision
NIST Special Publication 800-53 Revision 1 was initially released in December 2006 as "Recommended Security Controls for Federal Information Systems."Second revision
NIST Special Publication 800-53 Revision 2 was initially released in December 2007 as "Recommended Security Controls for Federal Information Systems."Third revision
The third version of NIST's Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," incorporates several recommendations from people who commented on previously published versions, who recommended a reduction in the number of security controls for low-impact systems, a new set of application-level controls and greater discretionary powers for organizations to downgrade controls. Also included in the final draft is language that allows federal agencies to keep their existing security measures if they can demonstrate that the level of security is equivalent to the standards being proposed by NIST. The third version also represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems. The management, operational, and technical controls in SP 800-53 Revision 3 provide a common information security language for all government information systems. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures to address advanced cyber threats and exploits. Significant changes in this revision of the document include- A simplified, six-step risk management framework;
- Additional security controls and enhancements for advanced cyber threats;
- Recommendations for prioritizing security controls during implementation or deployment;
- Revised security control structure with a new references section;
- Elimination of security requirements from supplemental guidance sections;
- Guidance on using the risk management framework for legacy information systems and for external information system services providers;
- Updates to security control baselines based on current threat information and cyber attacks;
- Organization-level security controls for managing information security programs;
- Guidance on the management of common controls within organizations; and
- Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.
Fourth revision
- Insider threats;
- Software application security ;
- Social networking, mobiles devices, and cloud computing;
- Cross domain solutions;
- Advanced persistent threats;
- Supply chain security;
- Privacy.
- AC - Access Control
- AU - Audit and Accountability
- AT - Awareness and Training
- CM - Configuration Management
- CP - Contingency Planning
- IA - Identification and Authentication
- IR - Incident Response
- MA - Maintenance
- MP - Media Protection
- PS - Personnel Security
- PE - Physical and Environmental Protection
- PL - Planning
- PM - Program Management
- RA - Risk Assessment
- CA - Security Assessment and Authorization
- SC - System and Communications Protection
- SI - System and Information Integrity
- SA - System and Services Acquisition
Network Access Control is a tool that was utilized to help reach NIST 800-53 standards, and used the Access Control resources to help authorize devices that wished to access the network. NAC also provided an easy and adaptable control to meet any organization security needs.
Fifth revision
NIST SP 800-53 Revision 5 removes the word "federal" to indicate that these regulations may be applied to all organizations, not just federal organizations. The first public draft was published on August 15, 2017. A final draft release was set for publication in December 2018, with the final publication date set for March 2019." Per the NIST Computer Security Resource Center, major changes to the publication include:- Making the security and privacy controls more outcome-based by changing the structure of the controls;
- Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for systems and organizations;
- Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
- Eliminating the term "information system" and replacing it with the term "system" so the controls can be applied to any type of system including, for example, general-purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices;
- De-emphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
- Promoting integration with different risk management and cyber security approaches and lexicons, including the Cybersecurity Framework;
- Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
- Incorporating new, state of the practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.
The final version of Revision 5 was released on September 23, 2020 and is available on the NIST website at the following link: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final