NIST 800-53 (Questions/Answers)

One of the most important tasks business and IT leaders struggle with today is making sure data is managed properly and is kept as secure as possible.

Any type of data breach or loss of information can be devastating for an organization. The federal government has provided specific guidelines to help companies manage the risk and maintain data as effectively as possible. NIST (National Institute of Standards and Technology) is an agency of the United States government whose purpose is to promote industrial innovation and competitiveness. This agency published NIST 800-53 that covers risk management solutions and guidelines for IT systems. The following is everything an organization should know about NIST 800-53.

What Is NIST 800-53?

NIST 800-53 provides guidelines for managing information systems that maintain any type of government data. Its purpose is to help individuals and organizations implement and maintain basic security controls and the proper responses when incidents do occur regarding sensitive and classified data. These are fundamental security controls that are based on FIPS 199 that includes worst-case analysis. It was written specifically for federal systems and anyone working for or with government agencies. It's important to note the primary difference between NIST 800-171 and NIST 800-53. NIST 800-171 focuses on managing CUI, while NIST 800-53 is focused on solutions and security measures put in place to make sure classified data is stored, protected, and monitored effectively.

There have been several versions and revisions of NIST 800-53. It was first released in February 2005. Revision 1 was released in December 2006 and Revision 2 a year later. The 5th Revision is currently in draft form and at the time this article was written, has not been finalized. It's important to note that even organizations and businesses that aren't required to followed these guidelines are still highly recommended to do so. NIST 800-53 is considered an excellent roadmap for improving and maintaining the highest levels of security.

Those who are required to follow the guidelines include the following:

• Government Agencies
• Contractors to Federal Agencies
• Certified Vendors
• Cloud Service Specialists under a FedRAMP Program

Why Is NIST 800-53 So Important?

NIST 800-53 is important because it was designed to keep information safe and secure for governmental agencies. Everything from global viruses to increasingly sophisticated hacking plots have made it necessary to create and implement extensive security measures. NIST 800-53 focuses on the central idea of building information systems correctly and then providing continuous monitoring. If these two basic steps are taken, risks to information systems are significantly lowered. There are several specific reasons why following the guidelines is important.

• Complying with NIST 800-53 will also help an organization meet other compliance obligations such as FISMA.
• Complying with NIST 800-53 advances technology and increases our overall economic security.
• Complying with NIST 800-53 will provide exceptional security for all data and information systems within an organization.

How Do You Implement NIST 800-53?

Before knowing the requirements and how to implement them, it's important to understand how NIST 800-53 is categorized. First, there are three different security control levels. These include the following impact levels: High Impact Baseline, Medium Impact Baseline, and Low Impact Baseline. There are also three types, and this includes the following:

• Common - These are controls that are used throughout the company.
• Custom - These are customized to a particular device or application.
• Hybrid - This is a control that a company customizes for their specific organization.

The following are the specific steps that need to be taken when implementing NIST 800-53.

• Categorize Information - What data and information needs to be secured and how should this information be organized? This is the first question an organization should ask.
• Select Controls - This phase includes selecting different types of security for each category. The goal at this stage is to select controls that minimize risk and are as easy as possible for employees to understand and follow.
• Implement Controls - A detailed plan should be created specifying how, when, who, etc., to put the controls into practice. This will likely be a detailed plan that everyone in management will need to be on board with.
• Assess Controls - This step involves assessing the performance of all security controls and making any necessary changes. This step will need the advice and guidance of IT professionals.
• Authorize Systems - Authorize assets and personnel involved in the security system. It's important to know who in an organization should have access to each level of security and the information included at that level.
• Monitoring - Ongoing monitoring is the last step in the process. This is not a one-time solution. Different types of monitoring will need to be put in place and then it should be determined how often each type of monitoring should occur. An accurate record-keeping and reporting system is crucial for successful monitoring.

What are the Requirements?

The requirements for NIST 800-53 in these guidelines cover over 200 controls in 18 specific areas. Each of these areas is known as "control families." Each of the 18 areas has acronyms such as AC for Access Control and CP for Contingency Planning. According to the NIST websites, the following are each of the 18 areas and some of the control requirements in each category.

• Access Control (AC) - There are 25 specific controls in this category. A few include providing security for information sharing, security for access control for mobile devices, security for wireless and remote access, and security for information flow enforcement.
• Audit and Accountability (AU) - There are 16 controls in the Audit and Accountability family. These include making sure audit review, analysis, and reporting are all secure. It also includes items such as audit record retention, audit generation, and response to audit processing failures.
• Awareness and Training (AT) - The awareness and training category has 5 controls. Privacy and security controls must be implemented for awareness training, role-based training, training records, contacts with security groups, and awareness and training policies and procedures.
• Configuration Management (CM) - This area has 11 controls. Providing security for configuration settings, security impact analysis, user-installed software, and software usage restrictions are a few in this category.
• Contingency Planning (CP) - Contingency planning has 13 controls that need to be secured. A few include the contingency plan, contingency training, an alternate storage site, telecommunications services, and alternate communications protocol.
• Identification and Authentication (IA) - This control family includes 11 specific areas involving items such as identifier and authentication management, authenticator feedback, and device identification and authentication.
• Incident Response (IR) - There are 10 privacy and security controls for this section. Security and privacy must be met for incident response training, testing, handling, monitoring, and reporting.
• Maintenance (MA) - There are 6 maintenance controls that must be secured. These include policies and procedures, controlled maintenance, maintenance tools, nonlocal maintenance, maintenance personnel, and timely maintenance.
• Media Protection (MP) - Security and privacy for media protection list 8 controls. A few include media access, storage, sanitization, media use, and media downgrading.
• Personnel Security (PS) - There are 8 controls in this section. These include security processes involved in screening, designation, transfer, and termination of employees. It also includes access agreements, third-party personnel, and personnel sanctions.
• Physical and Environmental Protection (PE) - There are 20 control obligations that fall under this section. A few include security plans surrounding the potential need for emergency power and lighting, water damage and fire protection, visitor controls, and all visitor access records.
• Planning (PL) - Planning has 9 controls. An organization needs to provide security and privacy controls for sections such as systems security plans, rules of behavior, privacy assessments, and central management.
• Program Management (PM) - The program management family lists 16 controls that need securing. A few of these include information security resources, critical infrastructure plan, risk management strategy, and threat awareness program.
• Risk Assessment (RA) - This section has 6 controls. A few include risk assessment, security categorization, risk assessment update, and vulnerability scanning.
• Security Assessment and Authorization (CA) - There are 9 controls in this family. This would include creating and implementing security assessments, determining the effectiveness of security controls, and assigning roles in the process.
• System and Communications Protection (SC) - There are 44 security and privacy controls for this section. A few of the specific areas that are covered include cryptographic protection, application partitioning, and information in shared resources.
• System and Information Integrity (SI) - This section has 17 controls. Flaw remediation, malicious code protection, spam protection, error handling, and information output filtering are a few that need privacy and security controls provided.
• System and Services Acquisition (SA) - This family of controls has 22 specific control areas. Security and privacy controls need to be in place for areas such as developer provided training, customized development of critical components, security engineering principals, and user-installed software.

How Can a Professional IT Team Help?

Considering the complexity of implementing and maintaining all the requirements of NIST 800-53 it's crucial to make sure an organization has the assistance of an experienced IT team. If any of the standards are not met, everything from large fines to even the closure of a business may occur. An organization needs the experience and expertise of managed IT to make sure each of the previous guidelines are followed and strictly maintained. There are several good reasons why an organization should bring in managed IT to help implement security measures instead of using on-site IT.

1. Evaluate the Current Security Plan - An experienced team can evaluate the current security system and make recommendations for improvement. This will make it easier to implement NIST 800-53 as well as any other security guidelines.
2. Create an Updated Security Plan - With technology continuously changing, it's essential to have a team of IT experts who understand and can implement the latest security methods to keep the information as safe and secure as possible while meeting all compliance standards.
3. Train Employees - Human error accounts for a high percentage of data loss and mishandling. Training all employees is a time-consuming and ongoing process that needs the expertise of IT professionals.
4. Maintain Backup Security - If there would be any loss of information, a virus, or a security breach, having all data backed up and a disaster recovery plan in place could mean the difference between a minor hassle and a devastating loss.
5. Stay within Budget - Maintaining an in-house tech team that doesn't have the experience of professional IT experts can easily end up costing an organization more money in the long run.

System Services Enterprises (SSE) has been providing excellent technical services since 1966. They have been adapting and growing to meet the rapidly-changing needs of technology. They offer extensive training systems, consulting services, and a variety of managed IT and cybersecurity services. A company can schedule a complimentary compliance consultation to assess the risks their organization faces. Contact SSE for more information.

Click here to get started or call us at 314.439.4700.