It makes sense that some of the more powerful and rigorous security regulations are in the federal government. As federal agencies turn to third-party IT vendors to fulfill their missions, the demand for transparent, translatable and effective security regulations is only increasing. That’s why NIST 800-53, now on its fifth revision, is so important for agencies and contractors alike. 

Here, learn more about NIST 800-53, why it is so important to government (and, increasingly, private sector) IT security and why it benefits you to consider adopting its standards. 

What is NIST SP 800-53?

The U.S government leverages several compliance regulations and frameworks to help secure national security interests and sensitive data from theft or unauthorized disclosure. Because there are so many diverse agencies serving multiple national interests and community standards, there are therefore multiple compliance frameworks that detail security controls, technology requirements and risk management. 

Initially created in 2005 under the title “Recommended Security Controls for Information Systems”, NIST Special Publication 800-53 functions as part of the NIST 800 series of documents covering information system security. Having undergone several revisions, this publication is primarily geared towards security control selection in conjunction with requirements in the Federal Information Processing Standard (FIPS) 200. 

In short, any federal agency or contractor handling sensitive government information must adhere to specific regulations with security controls outlined in NIST 800-53. This does not apply to government systems managing classified information as part of Department of Defense or Executive Branch activities–security in this area may draw from 800-53 but will typically include more detailed controls outlined in other guidelines like NIST SP 800-171 for defense contractors. 

The continued evolution of IT technologies and applicable security threats have led to 5 distinct revisions of NIST 800-53. While some of the historical changes over these revisions are relatively incremental, there have been some significant upgrades in later editions. Some of the more dramatic changes include:

• NIST 800-53 Revision 3: This revision included several changes based on feedback from the previous two revisions and approached security intending to harmonize security across agencies and government contractors. This third revision also included some major security and risk frameworks that have become common nomenclature across federal systems. These changes include simplified processes for a 6-step risk management framework, modernized security controls, guidance for implementing RMF in legacy systems, guidance on demonstrating equivalent compliance for legacy systems and guidelines for streamlining FISMA security with international ISO/IEC standards. 
• NIST 800-43 Revision 4: This revision highlighted a new set of security threats to prioritize, including insider threats, supply chain threats, advanced persistent threats (APTs) and threats to mobile or cloud network infrastructure. Revision four also came with its list of security controls separated into 18 families that speak to common cybersecurity domains like identification and authentication, access control, auditing, risk assessment, incident response and other key security areas. Importantly, these control families help form the basis of control implementation across several other security regulations. 
• NIST 800-53 Revision 5: Revision 5 focused on streamlining security and privacy while de-emphasizing the framework’s applicability to federal agencies. Some of the changes here include promoting non-federal adoption of NIST 800-53 standards, consolidating security and privacy controls while making implementation a more outcome-based practice. 

While there are several hundred security controls defined in this publication, no single entity will use all of them. Adoption of controls should be driven by the demands of the data managed and as a result of comprehensive security audits and risk assessments. 

To help organizations best understand the controls they should implement, NIST 800-53 controls are divided (per FIPS 199 guidelines) into three impact levels. At each level, the nature of the data managed determines the controls required to secure it. 

These levels include:

1. Low Impact: At this level, data loss or compromise would have a limited impact on the operation of a given agency and the property or well-being of their constituents. At this level, while data is considered protected, much of it can also be obtained through requests to the government.
2. Moderate Impact: Data compromise or loss at this level could have a significant impact on the operation of the agency, including loss of operational capabilities or ability to pursue civil missions. Likewise, data loss can seriously impact constituents, including significant financial harm, loss or privacy or even potential bodily harm. 
3. High Impact: At this level, data loss or theft would be catastrophic to the operation of the agency in question. Likewise, data loss here will take a terrible cost from constituents, including loss of private data such as financial or Personal Health Information (PHI) that can result in serious financial or personal damage to citizens, up to and including severe physical harm or death. 

Where is NIST 800-53 Used?

Because NIST 800-53 aims to provide clear and technology-agnostic guidelines, it often serves as the bedrock for other programs. 

Some of these programs are:

1. FIPS 199: FIPS 199 defines impact levels, which in turn help contractors and agencies determine the level of security they should have based on the sensitivity of their data. At each level, an organization must adopt more security and risk management controls from 800-53.
2. FedRAMP: FedRAMP regulations provide a framework for auditing, assessment and continuous monitoring for Cloud Service Providers (CSP) working with unclassified data alongside federal agencies. FedRAMP wraps NIST 800-53 controls and FIPS 199 impact levels with a compliance infrastructure that includes extensive audits, third-party assessments and continued authorization.
3. Risk Management Framework (RMF): RMF provides a series of risk-based assessments and practices to help government agencies and contractors better situation their security determinations based on solid risk management and continued monitoring. As such, RMF includes a six-step process (Categorize, Select, Implement, Assess, Authorize and Monitor) that is informed by NIST 800-53.
4. Federal Information Security Management Act (FISMA): FISMA relies on NIST 800-53 for its catalog of controls and practices that IT providers must implement to work with agencies. 

Outside of these specific applications, NIST 800-53 is required of all federal agencies handling sensitive information. Following that, regulations that focus on protecting more sensitive data, like NIST 800-171/CMMC, will often draw from 800-53. 

What Are the Benefits of NIST 800-53?

While NIST 800-53 was initially designed for federal agencies and contractors, its most recent iterations have de-emphasized government applications for broader adoption. Because NIST 800-53 is purpose-built for high levels of security, it also finds its way into non-government work in healthcare and utilities. 

Compliance with NIST 800-53 will be shaped by your industry and the work you want to do with the government. By and large, however, there are several benefits that you can gain from following the standard. 

Some of these benefits include the following:

• Compliance Readiness: NIST 800-53 and ISO 27001 serve as the basis for many governments and private industry compliance frameworks, and they share many of the same controls and approaches to cybersecurity readiness. Obviously, if you comply with 800-53 controls, you are more likely than not well on your way to compliance with several federal frameworks (including FISMA, RMF or FedRAMP). Likewise, implementing these controls will position you to better adapt to other regulations like HIPAA or GDPR.
• Exhaustive Security: These regulations are rigorous, complete and evolving. When you adopt 800-53 standards you are adopting some of the most robust security and risk guidelines in the U.S. While that’s great for compliance, this also means that you’ll have strong cybersecurity measures in place. 
• Prioritizing Risk Assessment: Many small businesses don’t spend a lot of time thinking about risk assessment as part of their security implementation. With its focus on risk management as a security control selection practice, NIST 800-53 situates organizations to make better cybersecurity decisions overall. 

Conclusion

Preparing for NIST 800-53 compliance is an involved process that calls for in-depth audits, documentation and continuous monitoring. That process only gets more complicated when working with frameworks that add more complexity to that security posture (see FedRAMP). 

That’s why Lazarus Alliance provides extensive consulting, compliance automation and monitoring for NIST 800-53 compliance. Our experts are well-versed in the best way to help our clients migrate from stone-age tools like email and spreadsheets to automated reporting and auditing. This means a NIST 800-53 audit with us can reduce time spent on assessments from weeks or months to days. 

Want to Learn More About NIST 800-53 Compliance with Lazarus Alliance?

Read more on our compliance and security auditing services, or contact us today to discover what we can provide your organization.