NIST Special Publication 800-53

Last updated

National Institute of Standards and Technology
NIST logo.svg

NIST Special Publication 800-53 is an information security standard that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems. [1]

Contents

Two related documents are 800-53A and 800-53B which provide guidance, and baselines based on 800-53.

Purpose

NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory's (ITL) research, guidelines, and outreach efforts in information system security, and on ITL's activity with industry, government, and academic organizations. [2]

Specifically, NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. [3] The security rules cover 20 areas including access control, incident response, business continuity, and disaster recovery. [4]

A key part of the assessment and authorization (formerly certification and accreditation) process for federal information systems is selecting and implementing a subset of the controls (safeguards) from the Security Control Catalog (NIST 800-53, Appendix F). These controls are the management, operational, and technical safeguards (or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. To implement the needed safeguards or controls, agencies must first determine the security category of their information systems in accordance with the provisions of FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems.” The security categorization of the information system (low, moderate or high) determines the baseline collection of controls that must be implemented and monitored. Agencies have the ability to adjust these controls and tailor them to fit more closely with their organizational goals or environments. [1]

Compliance

Although any private organization can adopt the use of NIST 800-53 as a guiding framework for their security practice, all U.S. federal government agencies and contractors are required to comply with the framework in order to protect their critical data.

Agencies are expected to be compliant with NIST security standards and guidelines within one year of the publication date (February 2005) unless otherwise directed. Information systems that are under development are expected to be compliant upon deployment. [1]

Revisions

Initial release

NIST Special Publication 800-53 was initially released in February 2005 as "Recommended Security Controls for Federal Information Systems." [5]

First revision

NIST Special Publication 800-53 Revision 1 was initially released in December 2006 as "Recommended Security Controls for Federal Information Systems."

Second revision

NIST Special Publication 800-53 Revision 2 was initially released in December 2007 as "Recommended Security Controls for Federal Information Systems."

Third revision

The third version of NIST's Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," incorporates several recommendations from people who commented on previously published versions, who recommended a reduction in the number of security controls for low-impact systems, a new set of application-level controls and greater discretionary powers for organizations to downgrade controls. Also included in the final draft is language that allows federal agencies to keep their existing security measures if they can demonstrate that the level of security is equivalent to the standards being proposed by NIST. [6] The third version also represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems. The management, operational, and technical controls in SP 800-53 Revision 3 provide a common information security language for all government information systems. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures to address advanced cyber threats and exploits. Significant changes in this revision of the document include

Fourth revision

As part of the ongoing cyber security partnership among the United States Department of Defense, the intelligence community, and the federal civil agencies, NIST has launched its biennial update to Special Publication 800‐53, "Security and Privacy Controls for Federal Information Systems and Organizations," with an initial public draft released on February 28, 2012. The 2011–12 initiative will include an update of current security controls, control enhancements, supplemental guidance and an update on tailoring and supplementation guidance that form key elements of the control selection process. Key focus areas include, but are not limited to:

Revision 4 is broken up into 18 control families, [8] including:

Information on these control families and the controls contained within can be found on the NIST website at the following link: https://nvd.nist.gov/800-53/Rev4

Fifth revision

NIST SP 800-53 Revision 5 removes the word "federal" to indicate that these regulations may be applied to all organizations, not just federal organizations. The first public draft was published on August 15, 2017. A final draft release was set for publication in December 2018, with the final publication date set for March 2019." [9] Per the NIST Computer Security Resource Center (CSRC), [10] major changes to the publication include:

As of September 2019, Revision 5 was delayed due to a potential disagreement among the Office of Information and Regulatory Affairs (OIRA) and other U.S. agencies. [11]

The final version of Revision 5 was released on September 23, 2020 [12] and is available on the NIST website at the following link: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

800-53A

NIST Special Publication 800-53A provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results. [13]

Revision 1

NIST Special Publication 800-53A is titled “Guide for Assessing Security Controls in Federal Information Systems and Organizations." This version will describe testing and evaluation procedures for the 17 required control families. [4] These assessment guidelines are designed to enable periodic testing and are used by federal agencies to determine what security controls are necessary to protect organizational operations and assets, individuals, other organizations, and the nation. [3] According to Ron Ross, senior computer scientist and information security researcher at NIST, these guidelines will also allow federal agencies to assess "if mandated controls have been implemented correctly, are operating as intended, and are... meeting the organization's security requirements."

To do this, version A describes assessment methods and procedures for each of the security controls mandated in Special Publication 800-53. These methods and procedures are to be used as guidelines for federal agencies. These guidelines are meant to limit confusion and ensure that agencies interpret and implement the security controls in the same way. [4]

Revision 4

NIST SP 800-53A Revision 4 is Assessing Security and Privacy Controls in Federal Information Systems and Organizations. The Revision number went from Revision 1 to Revision 4 in order to better reflect the NIST Special Publication 800-53 it is meant to be used with.

800-53B

NIST Special Publication 800-53B provides a set of baseline security controls and privacy controls for information systems and organizations. The baselines establish default controls based on FISMA rates (Privacy, Low, Moderate, and High) and can be easily tailored to organizational risk management processes.

Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results. [14]

Initial release

NIST Special Publication 800-53B was initially released in September 2020 as "Control Baselines for Information Systems and Organizations." [15]

Related Research Articles

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The National Information Assurance Certification and Accreditation Process (NIACAP) formerly was the minimum-standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national-security information. NIACAP was derived from the Department of Defense Certification and Accreditation Process (DITSCAP), and it played a key role in the National Information Assurance Partnership.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. SCAP is a suite of tools that have been compiled to be compatible with various protocols for things like configuration management, compliance requirements, software flaws, or vulnerabilities patching. Accumulation of these standards provides a means for data to be communicated between humans and machines efficiently. The objective of the framework is to promote a communal approach to the implementation of automated security mechanisms that are not monopolized.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

<span class="mw-page-title-main">Risk Management Framework</span>

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems" was developed by the Joint Task Force Transformation Initiative Working Group. The first revision aimed to transform the traditional Certification and Accreditation (C&A) process into the Risk Management Framework (RMF), and the second version addressed privacy controls in a more central manner, and added a preparatory step.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

The Open Trusted Technology Provider Standard (O-TTPS) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. It is currently in version 1.1. A Chinese translation has also been published.

NIST Special Publication 800-92, "Guide to Computer Security Log Management", establishes guidelines and recommendations for securing and managing sensitive log data. The publication was prepared by Karen Kent and Murugiah Souppaya of the National Institute of Science and Technology and published under the SP 800-Series; a repository of best practices for the InfoSec community. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time.

<span class="mw-page-title-main">FedRAMP</span> US government cybersecurity program

The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite cyber attacks. Resilience to cyber attacks is essential to IT systems, critical infrastructure, business processes, organizations, societies, and nation-states. A related term is cyberworthiness, which is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.

References

  1. 1 2 3 Ross, et al., p. 4
  2. Ross, et al., p. 2
  3. 1 2 Ross, et al., p. 8
  4. 1 2 3 Vijayan, Jaikumar (2005). "Security Guidelines for U.S. agencies due in July". Computerworld. Retrieved February 23, 2011.
  5. "Recommended Security Controls for Federal Information Systems". NIST Publications. February 19, 2017. Retrieved June 13, 2021.
  6. Vijayan, Jaikumar (2005). "Feds look to finalize IT security controls". Computerworld. Retrieved February 23, 2011.
  7. Jackson, William (2009). "NIST releases 'historic' final version of Special Publication 800-53". Government Computer News. Retrieved February 23, 2011.
  8. "NIST Risk Management Framework". NIST. March 3, 2022. Retrieved May 27, 2022.
  9. "Schedule - Risk Management CSRC". NIST Computer Security Resource Center. Retrieved November 9, 2018.
  10. Force, Joint Task (August 15, 2017). "SP 800-53, Rev. 5 (DRAFT)". NIST Computer Security Resource Center. Retrieved March 12, 2018.
  11. Miller, J. (September 3, 2019). "OMB's regulatory review is creating a backlog of cyber standards". Federal News Network - Reporter's Notebook. Hubbard Radio Washington DC, LLC. Retrieved December 19, 2019.
  12. thelma.allen@nist.gov (September 22, 2020). "The Next Generation Security and Privacy Controls—Protecting the Nation's Critical Assets". NIST. Retrieved September 25, 2020.
  13. Ross, Ronald S. (2014). "NIST Special Publication 800-53A Revision 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans". doi: 10.6028/NIST.SP.800-53Ar4 .{{cite journal}}: Cite journal requires |journal= (help)
  14. Pillitteri, Victoria (2020). "NIST Special Publication 800-53B Control Baselines for Information Systems and Organizations". doi: 10.6028/NIST.SP.800-53B .{{cite journal}}: Cite journal requires |journal= (help)
  15. Force, Joint Task (December 10, 2020). "Control Baselines for Information Systems and Organizations". NIST Publications. doi: 10.6028/NIST.SP.800-53B . Retrieved November 10, 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.