Not all organizations have the cybersecurity expertise to build their own security team, processes, and systems to protect, secure, and proactively take care of their companies. Some use frameworks, like the NIST 800-53 to help guide and implement the right security controls in place.
In this article, we’ll go over the NIST 800-53 framework, identify the companies that need to comply with the standard, and how you can use it to improve your own company’s security posture.
- Quick review: What is NIST 800-53?
- A breakdown of security and access control families in the NIST 800-53 Framework
Quick review: What is NIST 800-53?
The NIST 800-53 is a cybersecurity standard and compliance framework developed by the National Institute of Standards in Technology. It’s a continuously updated framework that tries to flexibly define standards, controls, and assessments based on risk, cost-effectiveness, and capabilities.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
Who must comply with NIST 800-53?
This compliance standard needs to be met by federal information systems, agencies, and associated government contractors and departments that work with the government.
Compliance is necessary so that not only are federal organizations secure but so that they know any third-party vendors or organizations have also taken the necessary steps to secure their organization.
What is the purpose of NIST 800-53?
The NIST 800-53 framework is designed to provide a foundation of guiding elements, strategies, systems, and controls, that can agnostically support any organization’s cybersecurity needs and priorities.
By establishing a framework available to all, it fosters communication and allows organizations to speak using a shared language.
Lastly, because it doesn’t specifically support or suggest specific tools, companies, or vendors (intentionally so), it’s designed to be used as new technologies, systems, environments, and organizational changes arise, shifting cybersecurity needs.
What is the difference between NIST 800-53 and other frameworks?
NIST has over 1,300 standard reference materials but most compliance frameworks fall into the NIST 800 series. However, there are variations that have slight differences.
For example, NIST 800 - 171 is a framework for federal agencies that will work with non-federal departments or companies.
NIST’s compliance standards are also different than standards such as HIPAA, FISMA, or SOX, which are industry-related compliance standards. However, NIST does provide various outlines and standard material to help companies achieve compliance.
What are the benefits of NIST 800-53?
This framework is incredibly comprehensive and if you follow it even to the minimum controls it outlines, you’ll be covering the majority of risk factors all organizations face.
It also provides a baseline to improve upon. As you better understand your organization’s specific needs, you can then refer to the framework and identify which specific access controls you can work on improving and investing in.
A breakdown of security and access control families in the NIST 800-53 Framework
The NIST 800-53 framework provides a number of different controls and guidance across multiple security and access control families defined under a baseline of impact. These baselines are separated by:
- High impact
- Medium impact
- Low impact
The controls are then designated across 20 security and control families. Alongside them, we’ve provided examples of associated controls.
- AC (Access control): Account management and monitoring, enforcing the policy of least privilege principle, and separation of duties.
- AT (Awareness and training): Providing awareness and security training to employees, and elevated technical training for more privileged users.
- AU (Audit and accountability): Auditing records and content, retaining records, and providing associated analysis and reporting
- CA (Assessment, authorization and monitoring): Penetration testing, and monitoring connections to public networks and external systems
- CM (Configuration management): Implementing configuration change controls, and setting authorized software policies
- CP (Contingency planning): Establishing and testing business continuity strategies, as well as alternate processing and storage sides.
- IA (Identification and authentication): Managing credentials and setting up authentication policies and systems in place for users, devices, and services.
- IP (Individual participation): Obtaining consent and authorizing privacy policies and practices.
- IR (Incident response): Setting up incident response training and setting up associated monitoring and reporting systems.
- MA (Maintenance): Having an ongoing system, personnel, and tool maintenance.
- MP (Media protection): Securing and protecting media access, use, storage, and transportation.
- PA (Privacy authorization): Setting policies for collecting, using, and sharing personally identifiable information(PII)
- PE (Physical and environmental protection): Ensuring access to emergency power, securing physical access, and protecting against physical risk and damage.
- PM (Program management): Having defined strategies for risk management, insider threats, and scaling architecture.
- PL (Planning): Having strategies in place for comprehensive security architecture (such as defense in depth and third-party vendor security)
- PS (Personnel security): Screening internal and external personnel, setting up termination and transfer security policies.
- RA (Risk assessment): Scanning vulnerabilities, having ongoing privacy impact, and risk assessments.
- SA (System and services acquisition): Implementing security across the system development lifecycle, new vendor contracts, and acquisitions.
- SC (System and communications protection): Partitioning applications, implementing cryptographic key management, and securing passwords and other sensitive data.
- SI (System and information integrity): Implementing system monitoring, alerting systems, and flaw remediation processes.
NIST 800-53 compliance best practices
If you’re an organization that finds itself needing to comply with the NIST 800-53 framework, it’s best to approach it as a set of bundled actions and strategies rather than tackling each of the 20 access controls.
Here’s our recommendation.
Take stock of your assets
Locate all your data, servers, devices, and other assets and classify them based on how sensitive and business-critical they are. This will help you get an understanding of how to prioritize securing these assets.
As you build out your policies and adopt new tools and systems, you’ll already have a starting point on what needs your focus first.
Focus on your employees
Establish a security awareness training program so your employees know what to look out for when it comes to phishing, ransomware, and similar attacks. You should also implement a policy that identifies who has access to what data based on what they actually need access to.
Limit access as much as possible.
Manage access control
Access controls and admin privileges should be established here and beyond just your employees. Make sure that third-party vendors, apps, and systems, aren’t accessing critical assets or files they shouldn’t.
Identity access management policies and strategies are helpful and can proactively set up new employees and vendors in an already-secured manner.
Monitoring and response capabilities are crucial here and should be implemented on data, events, network activity, and endpoints. You should also set up monitoring and alerting for insider threats, malware, vulnerabilities, and breaches.
You’ll have crucial insight and info if/when a breach happens, allowing you to recover quickly and maintain business continuity.
NIST 800-53 can be used by any organization
We like this framework because it’s flexible, comprehensive, and can be adopted by any organization essentially at any time. If you’re looking to build up your security department, are starting from scratch, or need a major upgrade in your security posture, it might be worth checking this framework out.
Remember, even if you don’t need to adhere to this compliance standard, it can still be a useful framework.
To learn more about how you can secure, audit, and identify your critical assets, check out Varonis’ DatAdvantage solution.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers information security, tech and finance, consumer privacy, and B2B digital marketing. You can see his writing portfolio on https://josueledesma.com/Writing-Portfolio