NIST SP 800-53 is a critical component of FISMA compliance. Highly recommended security controls for Federal Information Systems and Organisations.
NIST Special Publication 800-53, known as the National Institute of Standards and Technology Special Publication 800-53, sets out standards and guidelines for how US government agencies should architect, implement, manage their information security systems and the data stored on their systems.
The Federal Information Security Management Act (FISMA) requires NIST SP 800-53 to set standards and guidelines for federal agencies and contractors.
NIST SP 800-53 also has a role in developing Federal Information Processing Standards (FIPS) alongside FISMA.
As we continue to see a growing dependency on the internet and a greater dependence on information systems for business and personal communication, the need for information privacy and security is only increasing.
ISMS.online can help your organisation comply and achieve NIST SP 800-53.
The guidelines apply to all elements of an information system that stores, processes, or transmits federal information.
The guidelines cover areas like mobile and cloud computing, insider threats, application security, supply chain security and have been crafted under the evolving nature of information security.
NIST SP 800-533 covers the steps in the risk management framework that address security control selection for federal information systems according to the security requirements in FIPS.
The security rules cover areas such as access control, incident response, business continuity, and disaster recovery. A vital part of federal information systems’ assessment and authorisation process is selecting and implementing a subset of the controls from the security control catalogue, NIST 800-53, Appendix F.
The management, operational, and technical safeguards are prescribed for an information system to protect the confidentiality, integrity, availability of the system and its information.
The controls can be adjusted and tailored to fit more closely with the goals and environments of the organisation.
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
The standard provides more secure information systems via control families. Private organisations comply with NIST SP 800-53 because its 18 control families assist them in meeting the challenge of selecting appropriate basic security controls, policies & procedures.
Ensuring security and compliance is only one of the benefits of the customisation process. Consistency and cost-effective application of controls across your information technology infrastructure are promoted by it. To ensure its relevance to your infrastructure and environment, it encourages you to analyse each security and privacy control that you select.
The impact of incidents on various data and information systems requires a careful risk assessment. NIST 800-53 has a catalogue of security, privacy controls, and guidance controls. Controls should be chosen based on the protection requirements of the content.
As previously mentioned, Federal Information Processing Standards (FIPS) can you help choose the controls your organisation needs against the three impact levels found in FIPS.
These impact levels are:
NIST SP 800-53 controls are allocated into the following:
| Family Name | ID | Example of Controls |
|---|---|---|
| Access Control | AC | Account management & monitoring |
| Awareness and Training | AT | User awareness and training on security threats |
| Audit and Accountability | AU | Content of audit records – Analysis & reporting – Record retention |
| Assessment, Authorization, and Monitoring | CA | Connections to public networks & external systems – Penetration testing |
| Configuration Management | CM | Authorised software policies |
| Contingency Planning | CP | Alternate processing & storage sites – Business continuity strategies |
| Identification and Authentication | IA | Authentication policies for users, devices & services – credential management |
| Individual Participation | IP | Consent & privacy authorization |
| Incident Response | IR | Incident response training, monitoring & reporting |
| Maintenance | MA | System, personnel & tool maintenance |
| Media Protection | MP | Access, storage, transport, sanitisation & use of media |
| Privacy Authorization | PA | Collection, use & sharing of personally identifiable information |
| Physical and Environment Protection | PE | Physical access – Emergency power – Fire protection – Temperature control |
| Planning | PL | Social media & networking restrictions – Defence-in-depth security architecture |
| Program Management | PM | Risk management strategy – Insider threat program – Enterprise architecture |
| Personnel Security | PS | Personnel screening, termination & transfer – External personnel – Sanctions |
| Risk Assessment | RA | Risk assessment – Vulnerability scanning – Privacy impact assessment |
| System and Services Acquisition | SA | System development lifecycle – Acquisition process – Supply chain risk management |
| System and Communications Protection | SC | Application partitioning – Boundary protection – Cryptographic key management |
| System and Information Integrity | SI | Flaw remediation – System monitoring & Alerting |
Book a tailored hands-on session
based on your needs and goals
Book your demo
NIST SP 800-53 Revision 1 was released in December 2006 as “Recommended Security Controls for Federal Information Systems.”
NIST SP 800-53 Revision 2 was released in December 2007 as “Recommended Security Controls for Federal Information Systems.”
NIST SP 800-53 Revision 3 was released in August 2009 as “Recommended Security Controls for Federal Information Systems and Organizations.”. This version incorporates several recommendations from people who commented on previously published versions.
It was recommended a reduction in number of security controls for low impact systems. Also, suggest a new set of application-level controls and greater powers for organisations to downgrade controls.
Changes brought in by revision 3:
NIST SP 800-53 Revision 4 was released initially in February 2012 as “Security and Privacy Controls for Federal Information Systems and Organisations”.
Revision 4 included updates to security controls, supplemental guidance and control enhancements. It also updated tailoring and supplementation guidance that form elements in the control selection process.
NIST SP 800-53 Revision 5 was initially discussed in August 2017 and removed “federal” from “Security and Privacy Controls for Federal Information Systems and Organisations” to denote that regulations may be applied to all organisations, rather than just federal organisations. The final version of Revision 5 was released in September 2020.
Some changes in this version include:
NIST SP 800-53A contains a set of procedures for conducting assessments of security controls and privacy controls within federal systems and organisations.
The procedures can be easily tailored to give organisations the flexibility to conduct security control assessments and privacy control assessments aligned with the organisation’s stated risk tolerance.
Guidance on analysing assessment results is provided, with information on building effective security and privacy assessment plans.
NIST SP 800-53B provides baseline security controls and privacy controls for information systems.
Guidance is provided on analysing assessment results and information on building effective security assessment plans.
It helps drive our behaviour in a positive way that works for us
& our culture.
It’s mandatory for federal information systems to use the standard. To maintain the relationship, any organisation that works with the federal government must comply with NIST SP 800-53.
The standard provides a framework for any organisation to develop, maintain and improve their information security practices, including state, local, tribal governments and private companies.
Federal agencies need to be compliant with the latest revision of NIST SP 800-53 within one year of the release of the new revision, and new systems need to be compliant at the time of deployment.
NIST SP 800-53 helps organisations of all shapes and sizes comply with the Federal Information Security Modernization Act (FISMA). There is an extensive catalogue of controls to strengthen security.
The purpose of the FISMA is to protect against unauthorised access, use, disclosure, disruption, modification, and destruction of government information and assets.
Book a tailored hands-on session
based on your needs and goals
Book your demo
It’s a common misconception that an organisation must choose between NIST SP 800-53 or ISO 27001 and that one is better than the other. Both of them can be used within an organisation and have a lot of synergies between them. Data security, risk assessments, and security programs are under the scope of both ISO 27001 and NIST SP 800-53.
The NIST frameworks were made voluntary and flexible. They have several common principles, including requiring senior management support, a continual improvement process, and a risk-based approach, making it easy to implement them in conjunction with ISO 27001.
The risk assessment process specified by ISO 27001 takes a very similar approach to NIST SP 800-53. Controls appropriate to the risk, identifying risks to the organisation’s information, and monitoring their performance are necessary under both.
| ISO/IEC 27001 (International Organization for Standardization) | NIST (National Institute of Standards and Technology) |
|---|---|
| ISO 27001 is an internationally recognised approach to establishing and maintaining an information security management system (ISMS). | The creation of NIST was to help US federal agencies and organisations better manage their risk. |
| ISO 27001 is less technical with more emphasis on risk-based management that provides best practice recommendations for securing all information. | The framework’s three main components are the core, implementation tiers and profiles, which are the activities necessary to fulfil each function. |
| There are 14 control categories and 114 controls in the ISO 27001 annex A. | NIST frameworks have various control catalogues. |
| There are ten clauses in the ISO 27001 that guide organisations through their ISMS journey. | The NIST framework has five functions that can be used to modify and customise cyber security controls. |
| Independent audit and certification bodies are used for ensuring ISO 27001 compliance. | NIST has a self-certification mechanism that is voluntary. |
ISMS.online is continually evolving to meet the information security, privacy and business continuity needs of organisations across the globe. Our simplified, secure, sustainable platform supports far more than just ISO/IEC 27001. As our platform grows, so does the list of standards and regulations we support.
Plus, our platform comes with various pre-built frameworks you can adopt, adapt, or add to depending on your organisation’s unique needs. Or you can easily build your own for bespoke compliance projects.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Download our free guide to fast and sustainable certification
The data on federal networks may include sensitive information that is essential to the ongoing function of the US government.
It could include user’s private data, known as personally identifiable information, which is also important to safeguard that is protected by NIST SP 800-171.
NIST SP 800-53 is a systematic approach to protecting information and computing systems.
The systems include:
The types of data that can be protected will vary due to the diversity of systems and organisations.
Selecting and implementing appropriate security and privacy controls for NIST 800-53 SP compliance is helped by the following best practices.
NIST SP 800-53 was initially released in February 2005. Aptly named as “Recommended Security Controls for Federal Information Systems.”
