FEDERAL SYSTEMS

The NIST-53 defines the standards and guidelines for federal agencies to architect and manage their information security systems. It was established to guide the protection of agency's and citizen's private data.

NIST controls generally enhance organizations' cybersecurity framework, risk posture, information protection, and security standards. While NIST 800-53 is mandatory for federal agencies, commercial entities can leverage the risk management framework in their security programs.

As the de facto standard for compliance with the Federal Information Security Management Act (FISMA), SP 800-53 directly applies to any federal organization (aside from national security agencies) and indirectly to non-federal organizations via SP 800-171.

Since NIST 800-53 was first introduced, the number of controls has dramatically expanded; the initial version of 800-53 contained approximately 300 controls, and NIST 800-53 rev 5 includes over 965 controls. But it's not just the number of controls; the controls' structure and organization have also evolved.

The significant difference between NIST 800-53 and 800-171 is that the latter relates to non-federal networks. If an organization runs support or "supply chain" operations, the Defense Federal Acquisition Regulation Supplement (DFARS) made specific cybersecurity protocols a requirement as far back as 2015.

The NIST CSF is a subset of NIST 800-53 and shares controls found in ISO 27002. It takes parts of ISO 27002 and NIST 800-53 but does not include both.

As of 2017, NIST is mandatory for all United States federal agencies. Organizations designated federal, state, or defense must often comply with specific NIST security requirements outlined in the Federal Information Security Management Act of 2002 (FISMA).

In many cases, complying with NIST guidelines and recommendations will help federal agencies ensure compliance with other regulations, such as HIPAA, FISMA, or SOX. 

NIST 800 53 Control Families include:

AC - Access Control

The AC Control Family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users can access the system and their level of access.

AT - Awareness and Training

The control sets in the AT Control Family are specific to your security training and procedures, including security training records.

AU - Audit and Accountability

The AU control family comprises security controls related to an organization's audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information.

CA - Assessment, Authorization, and Monitoring

The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections.

CM - Configuration Management

CM controls are specific to an organization's configuration management policies. These include a baseline configuration that will operate as the basis for future builds or changes to information systems, information system component inventories, and security impact analysis control.

CP - Contingency Planning

The CP control family includes controls specific to an organization's contingency plan in case a cybersecurity event should occur. These include controls like contingency plan testing, updating, training, backups, and system reconstitution.

IA - Identification and Authentication

IA controls are specific to an organization's identification and authentication policies. This includes the identification and authentication of organizational and non-organizational users and the management of those systems.

IR - Incident Response

IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plans.

MA - Maintenance

The MA controls detailed requirements for maintaining organizational systems and the tools used.

MP - Media Protection

The Media Protection control family includes controls specific to access, marking, storage, transport policies, sanitization, and defined organizational media use.

PE - Physical and Environmental Protection

The Physical and Environmental Protection control family is implemented to protect systems, buildings, and supporting infrastructure against physical threats. These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection.

PL - Planning

The PL family is specific to an organization's security planning policies and must address the purpose, scope, roles, responsibilities, management commitment, coordination among entities, and organizational compliance.

PM - Program Management

The PM control family is specific to who manages your cybersecurity program and how it operates. This includes but is not limited to, a critical infrastructure plan, information security program plan, plan of action milestones and processes, risk management strategy, and enterprise architecture.

PS - Personnel Security

PS controls relate to how an organization protects its personnel through position risk, personnel screening, termination, transfers, sanctions, and access agreements.

PT - PII Processing and Transparency

This family requires the organization to ensure privacy and the protection of personally identifiable information, which is protected and kept confidential. 

RA - Risk Assessment

The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. An integrated risk management solution can help streamline and automate your NIST 800 53 compliance efforts.

SA - System and Services Acquisition

The SA control family correlates with controls that protect allocated resources and an organization's system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls.

SC - System and Communications Protection

The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others.

SI - System and Information Integrity

The SI control family correlates to controls that protect the system and information integrity. This control involves flaw remediation, malicious code protection, information system monitoring, security alerts, software, firmware integrity, and spam protection.

SR - Supply Chain Risk Management

This requires an organization to ensure its supply chain is vetted, approved, and compliant with security requirements to protect sensitive information.