Tag Archives: risk management framework

NIST 800-53: Definition and Tips for Compliance

nist 800-53

NIST sets the security standards for agencies and contractors – and given the evolving threat landscape, NIST is influencing data security in the private sector as well. It’s structured as a set of security guidelines, designed to prevent major security issues that are making the headlines nearly every day.

NIST SP 800-53 Defined

The National Institute of Standards and Technology – NIST for short – is a non-regulatory agency of the U.S. Commerce Department, tasked with researching and establishing standards across all federal agencies. NIST SP 800-53 defines the standards and guidelines for federal agencies to architect and manage their information security systems. It was established to provide guidance for the protection of agency’s and citizen’s private data.

nist 800 53 definition

Federal agencies must follow these standards, and the private sector should follow the same guidelines.

NIST SP 800-53 breaks the guidelines up into 3 Minimum Security Controls spread across 18 different control families.

Minimum Security Controls:

  • High-Impact Baseline
  • Medium-Impact Baseline
  • Low-Impact Baseline

Control Families:

What’s The Purpose of NIST SP 800-53

NIST SP 800-53 sets basic standards for information security policies for federal agencies – it was created to heighten the security (and security policy) of information systems used in the federal government.

The overall idea is that federal organizations first determine the security category of their information system based on FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems — essentially deciding whether the security objective is confidentiality, integrity, or availability.

NIST SP 800-53 then helps explain which standards apply to each goal – and provides guidance on how to implement them. NIST SP 800-53 does not define any required security applications or software packages, instead leaving those decisions up to the individual agency.

NIST has iterated on the standards since their original draft to keep up with the changing world of information security, and the SP 800-53 is now in its 4th revision dated January 22, 2015. The 5th revision is currently up for comments – stay tuned for updates.

Benefits of NIST SP 800-53

NIST SP 800-53 is an excellent roadmap to covering all the basics for a good data security plan. If you establish policies and procedures and applications to cover all 18 of the areas, you will be in excellent shape.

Once you have the baseline achieved, you can further improve and secure your system by adding additional software, more stringent requirements, and enhanced monitoring.

Data security, like NIST SP 800-53, is evolving rapidly. A data security team needs to constantly look for more ways to reduce the risk of a data breach and to protect their data from insider threats and malware. The Varonis Data Security Platform maps to many of the basic requirements for NIST, and reduces your overall risk profile throughout the implementation process and into the future.

NIST 800-53 Compliance Best Practices

nist 800 53 compliance best practices

Implement these basic principles to data security to work towards NIST 800-53 compliance:

  • Discover and Classify Sensitive Data
    Locate and secure all sensitive data
    Classify data based on business policy
  • Map Data and Permissions
    Identify users, groups, folder and file permissions
    Determine who has access to what data
  • Manage Access Control
    Identify and deactivate stale users
    Manage user and group memberships
    Remove Global Access Groups
    Implement a least privilege model
  • Monitor Data, File Activity, and User Behavior
    Audit and report on file and event activity
    Monitor for insider threats, malware, misconfigurations and security breaches
    Detect security vulnerabilities and remediate

Compliance with NIST 800 53 is a perfect starting point for any data security strategy. The new GDPR regulations coming in May 2018 shine a spotlight on data security compliance guidelines in Europe, and changes are already coming to state legislation in the US that will implement additional requirements on top of NIST 800 53. As new legislation rolls out, achieving and maintaining compliance with the current baseline will make much easier to meet updated requirements.

NIST sets the security standards for internal agencies – building blocks for common sense security standards. Want to learn more? See how Varonis maps to NIST 800 53 and can help meet NIST standards.

Risk Management Framework (RMF): An Overview

risk framework management

The Risk Management Framework (RMF) is a set of criteria that dictate how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010.

Today, the RMF is maintained by the National Institute of Standards and Technology (NIST), and provides a solid foundation for any data security strategy.

What is the Risk Management Framework (RMF)?

The elegantly titled “NIST SP 800-37 Rev.1” defines the RMF as a 6-step process to architect and engineer a data security process for new IT systems, and suggests best practices and procedures each federal agency must follow when enabling a new system. In addition to the primary document SP 800-37, the RMF uses supplemental documents SP 800-30, SP 800-53, SP 800-53A, and SP 800-137.

Risk Management Framework (RMF) Steps

We’ve visualized the RMF 6-step process below. Browse through the graphic and take a look at the steps in further detail beneath.

risk management framework steps

Step 1: Categorize Information System 

The Information System Owner assigns a security role to the new IT system based on mission and business objectives. The security role must be consistent with the organization’s risk management strategy.

Step 2: Select Security Controls 

The security controls for the project are selected and approved by leadership from the common controls, and supplemented by hybrid or system-specific controls. Security controls are the hardware, software, and technical processes required to fulfill the minimum assurance requirements as stated in the risk assessment. Additionally, the agency must develop plans for continuous monitoring of the new system during this step.

Step 3: Implement Security Controls 

Simply put, put step 2 into action. By the end of this step, the agency should have documented and proven that they have achieved the minimum assurance requirements and demonstrated the correct use of information system and security engineering methodologies.

Step 4: Assess Security Controls 

An independent assessor reviews and approves the security controls as implemented in step 3. If necessary, the agency will need to address and remediate any weaknesses or deficiencies the assessor finds and then documents the security plan accordingly.

Step 5: Authorize Information System

The agency must present an authorization package for risk assessment and risk determination. The authorizing agent then submits the authorization decision to all necessary parties.

Step 6: Monitor Security Controls

The agency continues to monitor the current security controls and update security controls based on changes to the system or the environment. The agency regularly reports on the security status of the system and remediates any weaknesses as necessary.

How Can Varonis Help You Be Compliant?

NIST regulation and the RMF (in fact, many of the data security standards and compliance regulations) have three areas in common:

  • Identify your sensitive and at risk data and systems (including users, permissions, folders, etc.);
  • Protect that data, manage access, and minimize the risk surface;
  • Monitor and detect what’s happening on that data, who’s accessing it, and identify when there is suspicious behavior or unusual file activity.

The Varonis Data Security Platform enables federal agencies to manage (and automate) many of these practices and regulations required in the RMF.

DatAdvantage and Data Classification Engine identifies sensitive data on core data stores, and maps user, group, and folder permissions so that you can identify where your sensitive data is and who can access it. Knowing who has access to your data is a key component of the risk assessment phase, defined in NIST SP 800-53.

Data security analytics helps meet the NIST SP 800-53 requirement to constantly monitor your data: Varonis analyzes monitored data against dozens of threat models that warn you of ransomware, malware, misconfigurations, insider attacks, and more.

NIST SP 800-137 establishes guidelines to protect your data and requires that the agency meet a least privilege model. DatAdvantage, Automation Engine, and DataPrivilege streamline permissions and access management, and provide a way to more easily get to least privilege and automate permissions cleanup.

While the Risk Management Framework is complex on the surface, ultimately it’s a no-nonsense and logical approach to good data security practices at its core – see how Varonis can help you meet the NIST SP 800-37 RMF guidelines today.