What is NIST SP 800-53?

NIST Special Publication 800-53 sets out standards and guidelines to recommend how US government agencies should architect, implement and manage their information security systems, and in particular, the data held on these systems. NIST SP 800-53 is part of NIST’s Cybersecurity Framework. NIST (The National Institute of Standards and Technology) is a non-regulatory agency that is responsible for researching and establishing sets of standards across federal agencies in the United States. 

The Cybersecurity Framework was developed by NIST and issued by former President Obama in 2013. The framework serves as a "how to" guide and lays out best practices, global standards, and approaches that help organizations to manage information security risks to critical infrastructure. The framework is split into five different functions: identify, protect, detect, respond and recover.

In May, 2017, President Trump issued executive order 13800 that declared all US heads of agencies and executive departments were to be held accountable for managing cybersecurity risk within their agency going forward.

Given the evolving threat landscape and the greater threat to government systems, it has become necessary for any organization to protect the integrity of its systems and data. Federal Geovernment systems, in particular, are at increased risk due to the sensitive and critical information they store. For this reason, NIST SP 800-53 was introduced.

All federal agencies must comply with the guidelines. Any personal entity or business that operates as a contractor to a federal agency must also comply.

NIST SP 800-53 provides a unified framework for information security that promotes effective risk management across the entire Federal Government. The primary mission of NIST is to promote innovation and industrial competitiveness in the U.S. by advancing and enhancing measurement science, technology and standards in ways that improve our quality of life and our economic security.

Even for businesses that are not required to comply with NIST SP 800-53, the standards are still an excellent foundation for managing information security.

NIST SP 800-53 focuses on 18 different control families that are categorized as low, moderate or high. These controls are outlined in NIST SP 800-37, and include:

1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Contingency Planning
6. Identification and Authentication
7. Incident Response
8. Maintenance
9. Media Protection
10. Personnel Security
11. Physical and Environmental Protection
12. Planning
13. Program Management
14. Risk Assessment
15. Security Assessment and Authorization
16. System and Communications Protection
17. System and Information Integrity
18. System and Services Acquisition

All US federal agencies are required to comply with the NIST Cybersecurity Framework according to Executive Order 13800. Enterprises and organizations in the private sector are also recommended to follow NIST SP 800-53. NIST's framework is commonly considered as a roadmap for all organizations looking to develop, improve and maintain their information security practices as well as providing a robust guide for SMB enterprises.

Complying with the NIST SP 800-53 and other "best standards" within the Cybersecurity Framework will also help organizations to improve their compliance with other programs and regulations such as PCI DSS, GDPR, HIPAA, FISMA, FedRAMP, DFARS, CJIS, FedRAMP +, FedRAMP DoD, IL 2-6, and many other programs. 

As with many similar regulations and guidelines, NIST 800-53 is a living and evolving document that will be subject to major revisions over time. The latest revision to NIST 800-53 at the time of writing is SP 800-53 Rev.5. The major impact of revision 5 is that NIST 800-53 will no longer be limited to Federal systems and will address all systems. The revision includes a proactive and systematic approach to make a comprehensive set of safeguarding measures available to a broad base of public and private sector organizations. The measures will apply to all types of computing platforms, including cyber-physical systems, mobile and cloud systems, general-purpose computing systems, industrial/process control systems and IoT (Internet of Things) devices.

To find out whether you need to comply with NIST SP 800-53, it might be time to arrange a controls audit that will help you to identify gaps in your existing security provisions and subsequent risks to your infrastructure. This is the first step to becoming compliant and helping your organization to strengthen security and satisfy all areas of the guidelines.