Stars-image

Blog

Welcome to Silent Sector's blog, news, and resource area.
0 Comments

Should Your Organization Consider NIST SP 800-53 for its Cybersecurity Foundation?

Business owners today are always looking for ways to set themselves apart from their competition. One way they can reach this is by proving their operational security maturity and adopting the National Institute of Standards and Technology Special Publication (NIST SP) framework 800-53. NIST is a non-regulatory agency of the U.S. Commerce Department that establishes standards across federal agencies. NIST SP 800-53 is a set of standards to assist federal agencies in meeting the requirements set by the Federal Information Security Management Act (FISMA). However, given the latest cyber security headlines, NIST 800-53 is starting to influence the private sector as well.

NIST SP 800-53 Defined

NIST SP 800-53 is a standard designed for federal agencies and contractors to provide guidance on data protection. The guideline was designed to heighten the security of federal information systems. It deals with security controls and safeguards for information systems and agencies. Security controls encompass aspects like policy, oversight, supervision, manual processes, individual action, or automated tasks implemented by information systems. Moreover, the actual guidelines apply to any system that stores, processes, or transmits information within the federal government.

The NIST SP 800-53 framework was updated in 2013 by the Joint Task Force Transformation Initiative Interagency Working Group. It was its fourth update as part of an ongoing partnership with federal agencies like the U.S. Department of Defense, the Intelligence Community, the Committee on National Security Systems, the Department of Homeland Security, and other federal agencies. The guidelines are revised to meet the evolving nature of cybersecurity and technological innovation like cloud computing, the Internet of Things and web applications.

NIST SP 800-53 VS. NIST 800-171 VS. NIST CSF

NIST SP 800-53 is recognized by different national security agencies because it is incredibly rigorous. When compared to its counterparts NIST 800-171 and NIST Cyber Security Framework (CSF), NIST SP 800-53 has a higher level of complexity and concentration. NIST 800-171 is primarily used to protect Controlled Unclassified Information of Nonfederal Systems and Organizations. Its focus is on information security protections. NIST CSF is used to enhance the security resilience of critical infrastructure with its primary objective being to complement organizations existing risk management processes. Moreover, it focuses on tackling cybersecurity from a risk based approach. In another blog post, we cover NIST CSF in depth and provide its typical use cases as well as historical benefits. 

Unlike other NIST frameworks, NIST SP 800-53 takes a low level approach to cybersecurity. It avoids using high level concepts, rather it uses specific details on how to implement specific controls. As such, the document is 460 pages in comparison to CSF’s 40 pages and might not be suitable for executives or non-technical personnel to read. Regardless the bottom line is NIST SP 800-53 can improve information assurance because it is not just a fill-out-the form document. It utilizes various departments throughout an organization to establish a complex level of security that requires full organizational commitment.

NIST SP 800-53 Explained

NIST guidelines tend to utilize a multi-tiered approach to risk management. NIST SP 800-53 works in conjunction with SP 800-37, which provides federal agencies guidance on implementing risk management programs. NIST SP 800-53 focuses on the control’s aspect for risk management programs.  The controls NIST SP 800-53 establishes are classified based on impact like low, moderate and high. They are also split into 18 different categories. The idea is that by separating controls into categories, organizations can streamline control selection and the specification process. The NIST SP 800-53 categories are:

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Risk Assessment
  • Security Assessment and Authorization
  • System and Communications Protection
  • System and Information Integrity
  • System and Services Acquisition

One attribute that sets NIST SP 800-53 apart from other frameworks is it introduces the methodology of using a security control baselines as the starting point for the control selection process. These baselines suggest picking controls off operational and function needs. NIST SP 800-53 also suggests picking controls to defend against the most common types of threats facing information systems, rather than just considering past threats.

Why use NIST SP 800-53? 

Federal or not, there are numerous benefits for organizations that comply with NIST SP 800-53. Being that NIST SP 800-53 is a major component of FISMA, organizations can humbly brag that they are aligned with one of the most important federal data security laws. Additionally, through adopting NIST SP 800-53, organizations will have a drastic improvement in their cyber security as SP 800-53 provides a fundamental baseline for deploying a secure infrastructure.

For organizations of all sizes, privacy protections are critical for customer retention and required federal agencies. To that end, there were 8 new privacy controls added in the latest NIST SP 800-53 revision that are based on the internationally accepted Fair Information Practice Principles. These privacy controls address the proliferation of social media, Smart Grid, mobile computing and the development of metadata environments. The privacy controls reference:

  • Authority and Purpose (AP)
  • Accountability, Audit, and Risk Management (AR)
  • Data Quality and Integrity (DI)
  • Data Minimization and Retention (DM)
  • Individual Participation and Redress (IP)
  • Security (SE)
  • Transparency (TR)
  • Use Limitation (UL)

The adoption of NIST SP 800-53 privacy controls can enhance an organization's mission and business functions. It also promotes customer trust and can help organizations stand out from their competitors.

With consumers and business partners starting to demand more data protection, it is becoming vital that organizations understand the importance of formalizing data protection by adhering to a framework. Moreover, implementing a framework can help organizations understand their maturity level. Frameworks like NIST SP 800-53 empower organizations to meticulously spend their limited resources and remove extraneous spending.

Silent Sector knows that the success of any organization lies in establishing deep trust with its customers. Is your organization doing everything possible to prevent security issues and protect irreplaceable data from ruthless cyber criminals?  If not, contact us for support and guidance.

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst in the utility industry. She has her BS in IT Cyber Security as well as security certifications like the CompTIA Security+. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology. Cybersecurity is not only a vehicle for her to achieve this, but a passion for life.