NIST sets the security standards for agencies and contractors – and given the evolving threat landscape, NIST is influencing data security in the private sector as well. It’s structured as a set of security guidelines, designed to prevent major security issues that are making the headlines nearly every day.
NIST SP 800-53 Defined
The National Institute of Standards and Technology – NIST for short – is a non-regulatory agency of the U.S. Commerce Department, tasked with researching and establishing standards across all federal agencies. NIST SP 800-53 defines the standards and guidelines for federal agencies to architect and manage their information security systems. It was established to provide guidance for the protection of agency’s and citizen’s private data.
Federal agencies must follow these standards, and the private sector should follow the same guidelines.
NIST SP 800-53 breaks the guidelines up into 3 Minimum Security Controls spread across 18 different control families.
Minimum Security Controls:
- High-Impact Baseline
- Medium-Impact Baseline
- Low-Impact Baseline
- AC – Access Control
- AU – Audit and Accountability
- AT – Awareness and Training
- CM – Configuration Management
- CP – Contingency Planning
- IA – Identification and Authentication
- IR – Incident Response
- MA – Maintenance
- MP – Media Protection
- PS – Personnel Security
- PE – Physical and Environmental Protection
- PL – Planning
- PM – Program Management
- RA – Risk Assessment
- CA – Security Assessment and Authorization
- SC – System and Communications Protection
- SI – System and Information Integrity
- SA – System and Services Acquisition
What’s The Purpose of NIST SP 800-53
NIST SP 800-53 sets basic standards for information security policies for federal agencies – it was created to heighten the security (and security policy) of information systems used in the federal government.
The overall idea is that federal organizations first determine the security category of their information system based on FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems — essentially deciding whether the security objective is confidentiality, integrity, or availability.
NIST SP 800-53 then helps explain which standards apply to each goal – and provides guidance on how to implement them. NIST SP 800-53 does not define any required security applications or software packages, instead leaving those decisions up to the individual agency.
NIST has iterated on the standards since their original draft to keep up with the changing world of information security, and the SP 800-53 is now in its 4th revision dated January 22, 2015. The 5th revision is currently up for comments – stay tuned for updates.
Benefits of NIST SP 800-53
NIST SP 800-53 is an excellent roadmap to covering all the basics for a good data security plan. If you establish policies and procedures and applications to cover all 18 of the areas, you will be in excellent shape.
Once you have the baseline achieved, you can further improve and secure your system by adding additional software, more stringent requirements, and enhanced monitoring.
Data security, like NIST SP 800-53, is evolving rapidly. A data security team needs to constantly look for more ways to reduce the risk of a data breach and to protect their data from insider threats and malware. The Varonis Data Security Platform maps to many of the basic requirements for NIST, and reduces your overall risk profile throughout the implementation process and into the future.
NIST 800-53 Compliance Best Practices
Implement these basic principles to data security to work towards NIST 800-53 compliance:
- Discover and Classify Sensitive Data
Locate and secure all sensitive data
Classify data based on business policy
- Map Data and Permissions
Identify users, groups, folder and file permissions
Determine who has access to what data
- Manage Access Control
Identify and deactivate stale users
Manage user and group memberships
Remove Global Access Groups
Implement a least privilege model
- Monitor Data, File Activity, and User Behavior
Audit and report on file and event activity
Monitor for insider threats, malware, misconfigurations and security breaches
Detect security vulnerabilities and remediate
Compliance with NIST 800 53 is a perfect starting point for any data security strategy. The new GDPR regulations coming in May 2018 shine a spotlight on data security compliance guidelines in Europe, and changes are already coming to state legislation in the US that will implement additional requirements on top of NIST 800 53. As new legislation rolls out, achieving and maintaining compliance with the current baseline will make much easier to meet updated requirements.
NIST sets the security standards for internal agencies – building blocks for common sense security standards. Want to learn more? See how Varonis maps to NIST 800 53 and can help meet NIST standards.