NIST Special Publication 800-53 sets an exemplary standard for protecting sensitive data. Though originally designed for government agencies, the framework has become a popular inclusion in most security programs across a wide range of industries.
The growing popularity of NIST 800-53 is likely driven by a desire to improve data security practices in response to rising data breach costs, and when a superior data protection policy is required, the safest option is to emulate a cybersecurity framework trusted to protect federal information systems.
However, with 20 control families and 90 security controls, tracking compliance efforts with NIST 800-53 isn’t easy. To accelerate this effort, the checklist below will help you align your information security program with the primary control pillars of NIST 800-53.
The 20 NIST SP 800-53 Security Controls
NIST SP 800-53 comprises 20 control families setting the baseline of data security for federal information systems. Many of these controls map to other frameworks and standards, such as the NIST Cybersecurity Framework and ISO/IEC 27001.
For a mapping between NIST 800-53 controls and other frameworks, refer to this resource by NIST.
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Assessment, Authorization, and Monitoring (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- Personally Identifiable Information Processing and Transparency (PT)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- Supply Chain Risk Management (SR)
For more details about the security and privacy controls of NIST 800-53, refer to the official publication of the framework by the National Institute of Standards and Technology (NIST).
NIST 800-161 further expands the supply chain risk management control family of NIST 800-53. Combined, both risk management frameworks create the foundation for a Supply Chain Risk Management (SCRM) program.
With this free NIST 800-53 risk assessment template, you can easily track your vendors' adherence to NIST 800-53 requirements.
1. Achieve a Security Control Baseline
NIST 800-53 specifies a security controls baseline for achieving the framework's minimum data security standard. Achieving this minimum security standard sets the foundation for complete compliance with the framework.
Refer to this resource to view all of the NIST 800-53 controls and baselines.
2. Implement Control Enhancements
Control enhancements further expand upon the functionality and efficacy of a given control to build upon security control baselines. Control enhancements are optional for entities not obligated to comply with NIST 800-53 - those that don’t handle or process data impacting national security.
However, there are significant system security benefits of implementing control enhancement, even if they aren’t mandatory. Implementing controls enhancements in the Access Control family would provide additional accounts management security, such as inactivity logout and privileged user accounts. These enhancements could reduce the impact of security incidents with the greatest influence on damage costs, such as third-party breaches.
Control Enhancements are included below the list of baseline controls in each control family (refer to this control catalog spreadsheet by NIST). They can be identified as an abbreviated name of a baseline control, followed by a number in parentheses, representing the sequential number of the enhanced control.
Learn about the best practices of compliance monitoring.
3. Delegate Responsibilities and Record Evidence of Implementation
Designate an individual or team to take ownership of the implementation of all NIST 800-53 security controls. This responsibility should include tracking the progress of compliance efforts and ongoing alignment with the framework.
A specialized individual or team should also be delegated the responsibility for ensuring all newly developed systems (including cloud computing systems) and system development lifecycles comply with the framework.
Compliance efforts should be tracked in an official document that also identifies all responsible parties. This document will offer evidence of compliance during an audit.
To ensure these reports are readily available for auditors, it’s best to publish them alongside other relevant security assessments in a shared public profile.
4. Recognize all Existing Security Policies and Operations
All NIST 800-53 controls must integrate with existing security frameworks and policies. The designated implementation team (see point 3) should complete an internal audit of all applicable policies and map their security requirements to each NIST 800-53 control family.
This audit should also include applicable regulations and security standards since their data security standards could complement NIST 800-53 compliance. Some examples include:
- Federal Information Security Management Act (FISMA).
- Federal Information Processing Standards (FIPS).
- Federal Information Security Modernization Act.
- GDPR
- PCI DSS
- HIPAA
5. Centralize Neutral Security Controls
The NIST 800-53 security control architecture should centralize neutral controls applicable to multiple departments and systems.
Mapping all security systems to centralized inheritable controls will significantly minimize implementation costs and resource demands during operation. System-specific security controls should remain localized.
For example, the access control family will be utilized by all departments implementing least privilege policies and monitoring for insider threats. Deploying multiple instances of this control family across each department would create an unnecessary burden on process resources and implementation times.
Track NIST 800-53 Compliance with UpGuard
UpGuard’s end-to-end third-party security risk management solution helps businesses efficiently scale their Vendor Risk Management efforts. Included in the platform’s library of customizable risk assessments is a NIST SP 800-53 questionnaire, and a feature that intelligently maps assessment responses to this standard highlights compliance gaps that should be addressed before an audit.