About NIST SP 800-53 | What You Need to Know to Maintain Compliance

The National Institute of Standards and Technology Special Publication 800-53, often referred to as NIST SP 800-53, is the guideline set to help contractors and federal agencies meet the regulatory requirements of the Federal Information Security Management Act (FISMA). The NIST is part of the US Commerce Department.

Of course, government regulatory bodies tend to use odd acronyms and lengthy verbiage which can be confusing to decipher. This makes understanding what you need to know to maintain compliance confusing.

More important than compliance issues — the NIST SP 800-53 is designed to help manage information security. While the requirements apply to Federal agencies and those who work with federally protected data, the information is aimed at data protection which is becoming more and more important across the private and public sectors.

What Is NIST SP 800-53

In a nutshell, the standards set forth by the NIST SP 800-53 are designed to govern the way that federal agencies manage their IT security systems. These protocols were developed to protect the agencies’ and citizens’ data.

It’s imperative that any federal agency follows these guidelines. Any business or personal entity that acts as a contractor for federal agencies are also required to follow these guidelines.

For businesses in the private sector, these guidelines serve as a good baseline to develop a data security plan. While it may not be a regulatory requirement, cyber security and data breaches pose a significant threat to all businesses. Small businesses are the target in 43% of cyber attacks. Statistics show that 60% of those companies will go out of business within six months of the incident.

NIST SP 800-53 offers an excellent roadmap to make sure your architecture and system management maintains optimal security.

Standards for Categorization and Benefits of NIST SP 800-53

NIST SP 800-53 is evolving to meet the changing needs of the technology it governs. The guidelines have been through several revisions. They’re designed to be continually revised to allow for more robust security as new threats emerge.

For businesses that do not need to maintain compliance, NIST SP 800-53 is still excellent information to form the structure to manage security. The principles used to create the regulations translate to any system and security measures can be added on top of this skeleton to further strengthen your data safety.

The first step federal agencies take is in categorizing the type of information system so that they can more easily apply the right standard based on recommendations in NIST SP 800-53. To do this, they confirm what the goal of the security system is at its base. There are three security objectives: availability, integrity, and confidentiality.

Once the objective is clear, the guidelines allow you to decipher the best standards to apply to the system to meet requirements and more effectively protect the information housed within the system.

Security Controls in NIST SP 800-53

NIST SP 800-53 focuses on the controls used in the risk management program outlined in SP 800-37. The controls are categorized as low, moderate, or high, depending on the level of security assigned to the objective.

There are eighteen (18) different control families. They are:

1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Contingency Planning
6. Identification and Authentication
7. Incident Response
8. Maintenance
9. Media Protection
10. Personnel Security
11. Physical and Environmental Protection
12. Planning
13. Program Management
14. Risk Assessment
15. Security Assessment and Authorization
16. System and Communications Protection
17. System and Information Integrity
18. System and Services Acquisition

Related articles: Understanding the EU Cybersecurity Act and Its Effect on Businesses and The Difference Between CMMC and NIST SP 800-171.

Our Team Can Help You Maintain Compliance with NIST SP 800-53 to Build a Solid Security Management Protocol

Like other aspects of technology, the NIST SP 800-53 continues to evolve in each new revision. This is a necessary part of the cyber security process because stagnation means leaving your company open to risks. The downside of the constant changes in the IT landscape is that entities outside the technology industry are often confused by and unprepared for the demands of changing security protocol.

Let our I.S. Partners, LLC auditing team guide your company through the steps to develop proper compliance with the current NIST SP 800-53 regulations. We can explain the purpose of different functions and categorization while guiding you through the process, from beginning to end.

Contact us by phone at (215) 675-1400 or request a quote online today. We’re eager to learn more about your business, so we can help you decipher the right framework for your optimal security management protocol.

About The Author

Mike Mariano

Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for AWA International. Michael has 15+ years’ experience in internal IT operations with 7 years of being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). Michael has worked with/at companies from 10 to 50,000 employees in size. Prior to joining IS Partners, Michael worked as the IT Operations Manager at AVASEK an MSP IS Security firm where he managed a team of six technicians to service 1500 client endpoints as well as the firm's Cloud Hosting Solution. while at AVASEK, Michael also performed gap assessments against HIPPA and NIST Security Frameworks and was a member of the incident response team. Michael’s specialties are IT Security and IT Management. He is experienced in performing security Risk Assessments, enforcing security policies, handling confidential information, deploying and administering network and application security systems, administrating SaaS products, Active Directory (AD), firewalls, routers, and VPN. Michael is HITRUST CCSFP and AWS CP Certified and has maintained various CompTIA Certifications over his career. He is currently working to achieve his GIAC GWAP and OSCP Certification in 2020.