Article

NIST Special Publication 800-53

Security
Time to read: 7 minutes

What is NIST Special Publication 800-53?

NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53) Security and Privacy Controls for Information Systems and Organizations is a set of security and privacy controls for information systems. These controls are meant to help federal agencies and contractors meet the Federal Information Security Management Act (FISMA) requirements for all federal information systems.

The NIST 800-53 cybersecurity framework is continuously updated to include new controls recommended by ITL. The object is to flexibly define standards, controls, and assessments based on risk that seek to balance cost-effectiveness and capabilities.

NIST 800-53 controls address requirements derived from business needs, directives, executive orders, guidelines, laws, mission requirements, policies, regulations, and standards. The controls address security and privacy from two perspectives to ensure that information systems are reliable and can be trusted to protect sensitive data.

  1. Functionality perspective, which focuses on the strength of functions and mechanisms provided by the NIST 800-53 controls.
  2. Assurance perspective, which focuses on the level of confidence in the security and privacy protections provided by the NIST 800-53 controls.

NIST 800-53 provides specific directions that support the design, development, implementation, and maintenance of secure and resilient information systems.

NIST 800-53 controls include operational, technical, and management standards and guidelines for maintaining confidentiality, integrity, and availability. NIST 800-53 takes a multi-tiered approach to security and risk management through control compliance requirements. The controls provide a comprehensive framework for safeguarding sensitive data against various threats—from insider accidents and misconfigurations to natural disasters and malicious attacks.

The purpose of NIST SP 800-53

The purpose of NIST SP 800-53 is to ensure that the information systems utilized by the federal government and those they work with are optimally protected. NIST 800-53 is also designed to provide a flexible framework that remains applicable despite updates to technology, systems, organizational structure, and compliance requirements.

To support security and privacy requirements and improve risk management for any organization or system that processes, stores, or transmits information, NIST 800-53:

  1. Helps organizations develop a foundation for assessing techniques and processes for determining control effectiveness
  2. Improves communication across organizations via a common lexicon for discussion of risk management concepts
  3. Maintains the confidentiality, integrity, and availability (i.e., the CIA triad) of information systems
  4. Provides a comprehensive and flexible catalog of controls for current and future protection based on changing technology and threats
  5. Supports the development of secure and resilient information systems

NIST SP 800-53 compliance

NIST 800-53 does not specify which types of information must be protected. However, it does provide guidance on how organizations should classify the types of data that they create, store, and transmit.

Who must comply with NIST 800-53?

All U.S. federal government agencies and associated government contractors and departments that work with the government must comply with NIST SP 800‐53. NIST 800-53 is required for all U.S. federal information systems that store, process, or transmit federal information, except those related to national security. While it is not legally mandated, many other organizations adhere to the NIST 800-53 standards to ensure the security of their information systems.

NIST SP 800-53 compliance best practices

The following are commonly used best practices to facilitate selecting and implementing appropriate security and privacy controls for NIST SP 800-53 compliance.

Create an inventory of sensitive data.

  1. How the sensitive data is created or received, maintained, and transmitted
  2. What kinds of data the organization handles
  3. Where the sensitive data is stored

Classify sensitive data according to NIST 800-53 data classification guidelines.

  1. Categorize and tag sensitive data
  2. Assign an impact classification to sensitive data
  3. Use tools to automate data discovery and classification

Develop vulnerability remediation and security upgrade plans.

  1. Develop policies and procedures to address security deficiencies
  2. Select controls based on specific needs
  3. Save notes about how and why each control was selected

Enforce access controls.

  1. Develop identity and access management policies and strategies
  2. Establish access controls and administrator privileges
  3. Extend access controls to third-party vendors, applications, and systems

Measure and analyze results.

  1. Establish a baseline
  2. Regularly test the efficacy of NIST 800-53 controls implementations
  3. Analyze test results to find and prioritize areas for improvement

Perform a risk assessment to identify cybersecurity gaps.

  1. Identify risks
  2. Estimate the probability of their occurrence
  3. Calculate potential impact

Provide security awareness education.

  1. Implement an ongoing employee training program
  2. Educate all employees on access governance and cybersecurity best practices
  3. Test employees’ knowledge and awareness

Benefits of NIST SP 800-53

  1. Bridges the gap between stakeholders by providing a common platform for business and technical stakeholders to consider cybersecurity
  2. Covers the majority of risk factors all organizations face
  3. Ensures maximum flexibility, because it does not prescribe specific tools, companies, or vendors
  4. Enables long-term risk management
  5. Expedites swift and effective response to risk and threats
  6. Facilitates the development and continuous iteration of cybersecurity programs to address new regulations and vulnerabilities
  7. Helps prioritize risk management and cybersecurity program development and updates
  8. Offers a solid foundation for compliance with other regulations and programs, such as the California Consumer Privacy Act (CCPA), the Defense Federal Acquisition Regulation Supplement (DFARS), the Federal Risk and Authorization Management Program (FedRAMP), FISMA, General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley Act (SOX)
  9. Promotes consistent cybersecurity across information systems
  10. Provides a baseline for developing a secure information systems infrastructure
  11. Represents the collective experience of thousands of cybersecurity professionals
  12. Supports an adaptive and responsive posture toward managing cyber risk
  13. Takes a risk-based, outcomes-driven approach to cybersecurity

NIST 800-53 vs other frameworks

Elements of NIST 800-53 are used in a number of other frameworks and standards. The following is a summary of NIST 800-53 vs. several widely adopted frameworks.

Security and access control families in NIST 800-53

NIST 800-53 has twenty families of controls comprised of more than 1,000 separate controls. Each family is related to a specific topic, such as access control.

NIST 800-53 controls are meant to be implemented based on the protection requirements of different content types, which are determined based on a risk assessment and analysis of the impact of incidents on different data and information systems.

Federal Information Processing Standard (FIPS) 199 defines three impact levels. NIST 800-53 controls are broken into three classes based on FIPS impact as related to confidentiality, integrity, and availability. The table below summarizes the potential impact definitions.

Potential impact of data loss—NIST 800-53 guidance

NIST 800-53 Data Classification Guidelines
SOURCE: FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION: Standards for Security Categorization of Federal Information and Information Systems

NIST 800-53: A roadmap for information systems cybersecurity

Although NIST 800-52 is mandatory for all federal agencies and those that work with these groups, it is far more than an onerous requirement. NIST 800-53 is a powerful tool for finding and implementing the right cybersecurity to safeguard all types of information and computing systems and products. Systems include:

  1. Cloud computing
  2. Computing systems
  3. Healthcare systems
  4. Internet of Things (IoT) devices
  5. Mobile systems

The adoption of the NIST 800-53 framework by non-government organizations and the fact that it is used as the foundation for so many other standards and frameworks is a testament to its content and structure. NIST 800-53 balances specificity and flexibility, making it applicable to a broad range of organizations. Using NIST 800-53 protects information systems and enables compliance with many regulations.

Smart, scalable, seamless identity security

Trusted by 48% of the Fortune 500

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief