Skip to content

Resources

NIST SP 800-53 Compliance Explained - How to be Compliant

NIST Special Publication 800-53 is a catalog of security controls that helps safeguard information systems from a range of risks. It was developed by the National Institute of Standards and Technology (NIST) to strengthen US government information systems against known threats, and it outlines security and privacy controls that are designed to protect the privacy of users and safeguard the ongoing operation of information systems.

NIST SP 800-53 is part of a range of guidelines developed by NIST to help federal agencies meet the requirements of the Federal Information Security Modernization Act (FISMA). The controls are designed to achieve a consistent level of protection across federal information systems. When properly implemented, these controls strengthen the integrity of information systems and protect user data being processed.

NIST SP 800-53 was designed for federal agencies but can also be adopted by other organizations looking for best practice security and privacy controls. This guide explores NIST SP 800-53, its controls and requirements, and tips to help organizations achieve and maintain compliance.

NIST Special Publication 800-53 definition

NIST Special Publication 800-53 is a selection of controls and requirements designed to safeguard US federal information systems. It was created by the National Institute of Standards and Technology (NIST) and first published in 2005, with expert input from a working group of defense, intelligence and civil government representatives, in addition to cybersecurity experts and organizations.

NIST SP 800-53 contains a catalog of security controls in 20 different families or areas of focus. Controls cover a variety of topics from access control to incident response to configuration management. It is part of NIST’s 800 series of Special Publications, which focus on guidelines, controls and reports on computer security and cybersecurity. Although originally focused on federal information systems, recent editions have been revised to include non-federal systems.

How is NIST SP 800-53 evolving?

NIST SP 800-53 has undergone regular reviews and revisions to ensure that the requirements address the latest threats to information systems. Recent revisions have helped it integrate with existing risk management systems like the NIST Cybersecurity Framework. Controls are explained clearly, covering the control’s mechanism and the level of security assurance.

Controls are regularly revised, added, or removed as new versions of NIST SP 800-53 are published. This keeps controls up to date with emerging risks, threats, and technologies. New controls also reflect changes in regulations or law. NIST SP 800-53 is designed to meet the needs of organizations as technology and risks evolve, ensuring controls continue to be effective.

NIST SP 800-53 Revision 5 

The fifth revision, named “Security and Privacy Controls for Information Systems and Organizations” was published in 2020. While version four was named Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5 drops ‘Federal’ from the title, repositioning the guidance as relevant to all organizations, beyond just US government systems.

Revision 5 also focuses on an outcomes-based approach by changing the structure of the controls. Additionally, it eliminates the term ‘information system,’ extending the applicability to other relevant systems including IoT devices and cyber-physical systems.

Who must comply with NIST SP 800-53?

 

NIST SP 800-53 is a requirement for federal agencies, as it outlines the security and privacy standards to safeguard government information systems. With each new revision of NIST SP 800-53, federal agencies must be compliant within one year of the release of the new Revision and any new systems must be compliant with the latest Revision at the time of deployment. NIST SP 800-53 also applies to government contractors who operate on or manage federal IT networks – compliance requirements will be stipulated in their contract or service agreement.

US government contractors will also be well-versed on another publication in the NIST 800 series, NIST Special Publication 800-171, which is designed to protect sensitive government data, known as Controlled Unclassified Information (CUI), that resides on non-federal networks.

What data does NIST SP 800-53 protect?

NIST SP 800-53 sets out comprehensive privacy and security controls to protect information systems. The data on federal networks will be varied but may include sensitive information that is integral to the ongoing function of the US government. It could also include user’s private data, such as personally identifiable information (PII), which is equally important to safeguard.

NIST SP 800-53 provides a systematic approach to safeguarding all types of information and computing systems and products. Systems include:

  • Cloud computing
  • Mobile systems
  • Healthcare systems
  • Computing systems
  • Internet of Things devices
  • Systems and networks that control industry processes.

The latest revision of NIST SP 800-53 is designed to be flexible in order to fit the needs and environment of an organization. Most controls are neutral to different technologies or sectors to stay flexible for a varied group of organizations. Because of the diversity of organizations and systems, the type of data these requirements can help protect will be varied.

What are the NIST SP 800-53 minimum controls? 

Each NIST SP 800-53 control contains a base or minimum control, and a control enhancement. The minimum controls are the baseline security and privacy controls that need to be implemented to help protect the system. Embedding the minimum control is an integral part of achieving compliance with the specific NIST SP 800-53 control. Each NIST SP 800-53 control also has an ‘enhanced’ section. The enhanced controls build on the base controls, providing better protection or additional functionality. Enhanced controls are used by organizations or systems with an increased risk. Organizations must first implement the base control before the addition of a control enhancement.

An example would be in the Incident Response family of controls. A base control covers the process of incident handling, whilst a series of connected enhanced controls provide incident-specific guidance, such as supply chain coordination.

How do organizations determine which NIST SP 800-53 controls to comply with?

Federal network security teams perform an organizational risk assessment to identify the appropriate security controls required to protect their respective organizational operations (including mission, functions, image, or reputation) and assets, as well as the required security controls to protect individuals, other organizations, or US national security.

NIST Special Publication 800-53B, Control Baselines for Information Systems and Organizations, provides security and privacy control baselines that act as a starting point for organizations in the control selection process.There are three security control baselines – one for each system impact level: low-impact, moderate-impact, and high-impact, as well as a privacy control baseline that is applied to systems irrespective of impact level.

In addition to the control baselines, NIST SP 800-53B provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process. By using the tailoring guidance and assumptions provided, organizations can customize their security and privacy control baselines to protect their critical and essential operations and assets, as well as protect individuals' privacy. The resulting set of security controls, with tailored baselines, establishes a level of security due diligence for the federal organization. Any new information systems developed by federal agencies will also need to be compliant with NIST SP 800-53 before being completed and embedded in a government network.

What are the benefits of NIST SP 800-53? 

NIST SP 800-53 helps organizations strengthen their risk management processes by providing a catalog of security controls to reference. The controls are comprehensive, with more than 1,000 in total, covering all aspects and considerations of an information system. which improve system resilience and help to limit the damage from security incidents and breaches.

NIST SP 800-53 helps to protect information systems from various threats including:

  • Cybersecurity incidents
  • Privacy breaches
  • Malicious attack
  • Mistakes and human error

What are the NIST 800-53 control families?

NIST SP 800-53 has more than 1,000 controls across 20 distinct control ‘families’. Families include a range of controls relating to their specific area. For example, the ‘Access Control’ family contains security and privacy controls relating to device and user access to the system.

The 20 NIST SP 800-53 control families are:

Access Control

The Access Control family contains controls that cover access to systems, networks, and devices. Controls provide guidance on the implementation of access policies, account management, and topics like user privileges. The controls aim to lower the risk of unapproved access to a range of systems, devices, or networks.

Awareness and Training

The Awareness and Training family of controls helps to ensure users of information systems are adequately trained to identify threats. A particular focus is improving awareness of different operational risks and threats to privacy or system security. Requirements around the creation of training policy, records, and feedback helps to fine-tune the organization’s approach to cybersecurity training.

Audit and Accountability

The Audit and Accountability family of controls provides guidance on procedures for event logging and auditing. Controls cover the baseline content of audit records, the capacity of log storage, and the process for monitoring and reviewing logs. Log audits are an important part of identifying the cause of breaches or system issues, and are a tool for accountability.

Assessment, Authorization and Monitoring

The Assessment, Authorization and Monitoring family focuses on the continuous monitoring and improvement of security and privacy controls. It covers the creation of an assessment plan and the delegation of the team to carry out control assessment. Controls also cover the creation of a plan of action and milestones (POAM), an integral document for identifying and fixing vulnerabilities or weaknesses.

Configuration Management

The Configuration Management family contains controls focusing on the configuration of software and devices on the network. Controls cover the creation of a configuration policy, the creation of a baseline configuration of the system, and the management of unauthorized configuration or devices. Configuration controls lower the risk of unauthorized hardware or software being installed on the system, or vulnerabilities caused by changes to settings.

Contingency Planning

The Contingency Planning family contains controls to prepare organizations for system failures and breaches. Controls cover the planning for alternative processing or storage sites and the creation of system backups to help mitigate system downtime. Other controls focus on contingency planning, including training and plan testing. This family of controls is important for mitigating the damage from a system outage or network breach, establishing clear plans to restore normal operation.

Identification and Authentication

The Identification and Authentication family contains controls for the reliable identification of users and devices. Different controls focus on different elements of safe user or device authentication. Controls strengthen user management policies, lowering the risk of unauthorized access to the system.

Incident Response

The Incident Response family contains controls for all aspects of responding to a serious incident. This includes training and planning for potential incidents, as well as plans for actively monitoring and responding to incidents as they occur. Enhanced controls cover specific types of incidents that distinct organizations might face. Incidents may include data breaches, breakdowns in the supply chain, public relations damage, or malicious code in the system.

Maintenance

The Maintenance family of controls deals with all elements of system maintenance, including software updates, logging, and inspection tools. It covers the need for timely maintenance to lower the risk of operational outages, and outlines policy and the management of maintenance personnel.

Media Protection

The Media Protection family of controls covers the use, storage and safe destruction of media and files in the organization. Established policies and procedures help to lower the risk of information breaches and leaks.

Physical and Environmental Protection

The Physical and Environmental Protection family of controls covers physical access to devices and facilities, and the mitigation of threats to facilities. Controls cover policies for physical access to system controls, including monitoring access and visitors, as well as the monitoring of devices and assets. Other controls cover responses to physical threats, such as emergency lighting or power and the relocation to alternative facilities.

Planning

The Planning family of controls covers privacy and system security plans (SSPs), including system architecture, management processes, and the setting of baseline system settings.

Program Management

The Program Management family of controls covers all elements of the management of an information system, including a variety of processes, programs, and plans. This includes an information security program plan, risk management strategy, and critical infrastructure plan.

Personnel Security

The Personnel Security family of controls covers different policies and procedures around the management of personnel. This includes the process for terminating personnel contracts and the relative risk of each position to information security. 

Personally Identifiable Information (PII) Processing and Transparency

The PII Processing and Transparency family of controls helps to safeguard sensitive data, focusing on consent and privacy. Organizations can lower the risk of data breaches by properly managing personally identifiable information.

Risk Assessment

The Risk Assessment family of controls focuses on the assessment of system vulnerabilities and relevant risk. Controls cover the development of risk response procedures, and the use of vulnerability monitoring tools and processes.

System and Services Acquisition

The System and Services Acquisition family of controls includes the allocation of resources and the creation of system development life cycles. Controls help organizations create a safe acquisition process for new systems and devices, safeguarding the integrity of the wider system and data. Controls also cover the development and testing process for new systems, including developer training and security processes.

System and Communications Protection

The System and Communications Protection family of controls covers the protection of system boundaries and the safe management of collaborative devices. Controls provide in-depth guidance on set-up and ongoing management of systems, including access, partitions, and usage restrictions.

System and Information Integrity

The System and Information Integrity family of controls focuses on maintaining the integrity of the information system. Controls cover topics like protection from malicious code and spam, and procedures for ongoing system-wide monitoring.

Supply Chain Risk Management

The Supply Chain Risk Management family of controls covers policies and procedures to counter risks in the supply chain. This includes processes to assess and manage suppliers, and the inspection of supply chain systems and components.

How to ensure you’re NIST SP 800-53 compliant

Organizations will need to implement the relevant NIST SP 800-53 controls determined as part of the risk assessment process and evidence compliance with these controls as part of the organization’s annual FISMA reporting requirements. Monitoring continuous compliance against the selected controls, as well as adapting to any new updates or Revisions to the catalog, is crucial. The following guidance aims to help organizations successfully embed and sustain NIST SP 800-53 controls.

Delegate responsibility

An organization first must clearly define who is responsible for assessing, implementing, and monitoring the selected NIST SP 800-53 controls. By designating an individual or team to have responsibility for NIST SP 800-53 implementation, there will be resources to continuously monitor adherence and ensure compliance is efficiently and effectively evidenced for an audit. Those responsible must also certify that all newly developed systems must be compliant upon introduction or deployment.

Understand your existing policies and operation

Achieving successful implementation will differ depending on the organization's policies and systems. Certain controls can be tailored by the organization to meet specific privacy and security needs. The parameters of these controls can be set to reflect the organization’s systems, operation, and risk. In-depth knowledge of an organization’s existing policies is vital to refine these controls to fit operational needs.

Reference the control catalog

Controls are designed to be flexible, so make sure to consult the discussion section of each control. It contains additional information that helps with implementing or adapting controls in line with the organization’s requirements or risk. The control catalog will also reference which controls are reliant on, or connected to, others. This helps build a systematic approach to implementation.

Record evidence of implementation

As with all security standards and frameworks, it is important to record the implementation of NIST SP 800-53 controls. Records and documentation should be collected as evidence of compliance with each individual control, helping to demonstrate overall compliance with NIST SP 800-53.

Take a common approach to implementation where possible

Many of the controls are neutral to different systems or areas of the organization, so can be effectively implemented centrally. Once implemented, these common controls can be embedded in different systems or programs across the organization. These are described as ‘inheritable’ controls within the publication, as different systems can inherit the control from an overall common control.

This approach lowers the resources and cost when compared with implementation across individual systems or areas of the organization. Examples may include control guidance on user account access, which can be utilized across different systems as a common policy. Some controls will be system-specific, but, where possible, the common approach should be utilized to save resources and time.

Support with NIST SP 800-53 compliance

Titania Nipper is a solution designed to audit network device configurations, identifying vulnerabilities and areas of non-compliance, and recommending ways to resolve each issue found. Nipper can automate the assessment of NIST SP 800-53 controls related to network devices. The tool is trusted by federal agencies to demonstrate compliance and manage security vulnerabilities. By accurately automating the assessment of NIST SP 800-53 controls, internal auditors can save up to three hours per device audit.