NIST 800-53 Rev.5 aka Security and Privacy Controls for Information Systems and Organizations (provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations from threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.
NIST 800-53 can be an exhaustive document with ~500 pages of information, guidance, justification for steps that we need to take to secure an information system. There are 1,189 total controls in revision 5 of the document as compared to the 965 controls in revision 4.
The purpose of this post is to break down the categories of NIST 800-53 and provide best practices on the implementation.
At the highest level, there are 20 control families (rev 4 had 18) and each family has a number of controls that are a subset of the control families. For instance, the control family Access Control (AC) has 25 controls.
Each control in the control family has a control title that gives a brief description of the control, the baseline impact, and its relation to the privacy control baseline. Notably, the Priority column in rev 4 is removed in rev 5.
An important note is the selection of baseline controls that are to be implemented at an organization. Until rev 4 the controls were more focused on Federal information systems but rev 5 has removed that distinction from ‘Federal’ to other systems and made it more generic and accessible for organizations of all sizes.
An example of this would be AC5 – Separation of Duties that is not required for information systems of Low category (think a task scheduler for yourself) but is required for a Moderate or High impact information system (think an MDM solution used to manage systems for an organization).
Now for each control, NIST gives the specific description of the control and the applicable use cases.
NIST 800-53A – Assessing Security and Privacy Controls in
Information Systems and Organizations
NIST 800-53A is an extension of the NIST 800-53 that provides additional guidance on the conducting assessment of these controls and a detailed look at this will provide a better understanding of the requirements of 800-53. This additional guidance on these controls make it more easily understandable.
NIST 800-53B – Control Baselines for Information Systems and Organizations
The NIST 800-53B is a fairly new standard that contains security & privacy baselines for federal information systems and organizations. So, the control baselines that were a part of 800-53 have been relocated to this new standard.
This is again divided into 3 baselines – Low, Medium, and High that are at the discretion of the system owner.
Overall, I like the newer format of NIST 800-53 Rev.5 and the segregation of baselines from the overall 800-53 document.
Further read and references:
- https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/families?version=5.1
- https://www.nist.gov/blogs/cybersecurity-insights/next-generation-security-and-privacy-controls-protecting-nations
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf