what nist 800 53 control mapping to risk management framework

The NIST 800-53 standard offers solid guidance for how organizations should select and maintain customized security and privacy controls for their data systems. NIST SP 800-53 Revision v is i of many compliance documents you lot need to familiarize yourself with if you are working with information technology.

This mail service breaks it down for y'all into digestible pieces that emphasize the standard's applied meaning and awarding.

What is NIST 800-53?

NIST 800-53 is a security compliance standard created by the U.S. Section of Commerce and the National Institute of Standards in Technology in response to the speedily developing technological capabilities of national adversaries. Information technology compiles controls recommended by the Data Technology Laboratory (ITL).

NIST 800-53 is mandatory for all U.Southward. federal information systems except those related to national security, and is technology-neutral. However, its guidelines tin be adopted by any organisation operating an data system with sensitive or regulated information. It provides a catalog of privacy and security controls for protecting against a variety of threats, from natural disasters to hostile attacks.

The standard has evolved to integrate privacy and security controls and to promote integration with other cybersecurity and risk management approaches. In particular, information technology fits into the scope of the Federal Information Processing Standards (FIPS); FIPS requires that organizations implement a minimum baseline of security controls as defined in NIST 800-53. The NIST standard also helps organizations comply with the Federal Data Security Modernization Act (FISMA), which details security and privacy guidelines equally role of administering federal programs.

As data infrastructure continues to expand and integrate, the demand to build privacy and security into every application grows too, regardless of whether information technology is a federal or private system. With the comprehensive fix of controls and guidelines in NIST 800-53, individual organizations do not need to re-invent the wheel to maintain cybersecurity.

What is the goal of NIST 800-53?

The goal of the security and privacy standard is threefold:

• To provide a comprehensive and flexible catalog of controls for current and future protection based on irresolute technology and threats
• To develop a foundation for assessing techniques and processes for determining control effectiveness
• To better communication across organizations via a common lexicon for discussion of chance direction concepts

The controls established past NIST Special Publication (SP) 800-53 are designed to improve risk direction for any organization or arrangement that processes, stores or transmits information.

Who must comply with NIST 800-53?

The standard is mandatory for federal data systems, organizations and agencies. Any organization that works with the federal government is also required to comply with NIST 800-53 to maintain the relationship.

However, the standard provides a solid framework for any system to develop, maintain and improve their information security practices, including state, local and tribal governments and private companies, from SMBs to enterprises.

What are the benefits of NIST 800-53?

The almost significant benefit of the standard is more than secure data systems. Private organizations voluntarily comply with NIST 800-53 because its 18 control families help them meet the challenge of selecting the appropriate basic security controls, policies and procedures to protect information security and privacy.

In improver, information technology encourages you to analyze each security and privacy command you select to ensure its applicability to your infrastructure and environment. This customization process helps ensure not just security and compliance, but business success. Information technology promotes consistent, toll-effective application of controls across your it infrastructure.

Finally, following NIST 800-53 guidelines helps you build a solid foundation for compliance with other regulations and programs like HIPAA, DFARS, PCI DSS and GDPR.

What data does NIST SP 800-53 protect?

While the standard does not provide a listing of specific information types, it does offering recommendations for classifying the types of data your organization creates, stores and transmits. For instance, 1 nomenclature might be "protected"; this data could include client names, nascency dates and Social Security numbers.

NIST 800-53 Security Controls

NIST 800-53 offers a catalog of security and privacy controls and guidance for selection. Each organization should choose controls based on the protection requirements of its various content types. This requires a conscientious risk assessment and assay of the impact of incidents on different data and information systems. FIPS 199 defines iii bear upon levels:

• Low — Loss would have express adverse bear upon.
• Moderate — Loss would have a serious adverse bear upon.
• High — Loss would have a catastrophic touch.

Security and Control Families

NIST 800-53 controls are allocated into the following twenty families:

ID	Family Name	Examples of Controls
Ac	Access Command	Business relationship management and monitoring; least privilege; separation of duties
AT	Awareness and Preparation	User training on security threats; technical training for privileged users
AU	Inspect and Accountability	Content of inspect records; analysis and reporting; record retention
CA	Assessment, Authorization, and Monitoring	Connections to public networks and external systems; penetration testing
CM	Configuration Direction	Authorized software policies, configuration change control
CP	Contingency Planning	Alternate processing and storage sites; business organisation continuity strategies; testing
IA	Identification and Authentication	Authentication policies for users, devices and services; credential management
IP	Individual Participation	Consent and privacy say-so
IR	Incident Response	Incident response grooming, monitoring and reporting
MA	Maintenance	Arrangement, personnel and tool maintenance
MP	Media Protection	Admission, storage, transport, sanitization, and utilize of media
PA	Privacy Authorization	Collection, apply and sharing of personally identifiable data (PII)
PE	Physical and Environment Protection	Physical admission; emergency power; fire protection; temperature control
PL	Planning	Social media and networking restrictions; defense-in-depth security architecture
PM	Plan Management	Adventure management strategy; insider threat program; enterprise architecture
PS	Personnel Security	Personnel screening, termination and transfer; external personnel; sanctions
RA	Take chances Assessment	Risk cess; vulnerability scanning; privacy touch assessment
SA	Organisation and Services Acquisition	System evolution lifecycle; acquisition procedure; supply chain risk management
SC	System and Communications Protection	Application partitioning; purlieus protection; cryptographic key direction
SI	System and Information Integrity	Flaw remediation; system monitoring and alerting

Tips for NIST 800-53 Compliance

The following best practices will help you select and implement appropriate security and privacy controls for NIST SP 800-53 compliance.

• Identify your sensitive data. Find out what kind of information your organization deals with, where it is stored, and how it is received, maintained and transmitted. Sensitive information can be spread across multiple systems and applications; it is non necessarily only where you think it is.
• Allocate sensitive information. Categorize and label your information according to its value and sensitivity. Assign each information type an bear upon value (depression, moderate or high) for each security objective (confidentiality, integrity and availability), and categorize it at the highest impact level. Consult FIPS 199 for appropriate security categories and bear upon levels that chronicle to your organizational goals, mission and business success. Automate discovery and classification to streamline the process and ensure consistent, reliable results.
• Evaluate your current level of cybersecurity with a risk assessment. At a high level, risk cess involves identifying risks, assessing the probability of their occurrence and their potential impact, taking steps to remediate the most serious risks, and and then assessing the effectiveness of those steps.
• Document a plan to improve your policies and procedures. Select controls based on your specific business needs. The extent and rigor of the selection process should exist proportional to the impact level of the take chances being mitigated. Document your plan and the rationale for each chose of command and policy.
• Provide ongoing employee training. Educate all employees on access governance and cybersecurity best practices, such as how to place and report malware.
• Brand compliance an ongoing procedure. Once you lot have brought your organization into compliance with NIST 800-53, maintain and improve your compliance with regular system audits, peculiarly subsequently a security incident.

Conclusion

All federal agencies and organizations must comply with NIST 800-53, and if y'all bargain with them, yous will need to exist in compliance as well. Compliance is non a requirement for organizations that practise not do business organization with the federal authorities, but meeting the standard will help you institute a strong foundation for compliance with a broad range of other regulations, such every bit HIPAA and GDPR, so you won't demand to re-invent the wheel each fourth dimension.

FAQ

1. What is the NIST 800 series?

The NIST 800 series is a set of documents that depict United States federal regime policies, procedures and guidelines for information organization security.

2. What is NIST 800-53?

NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. It defines the minimum baseline of security controls required past the Federal Data Processing Standard (FIPS).

3. What is the purpose of NIST 800-53?

NIST 800-53 helps organizations of all types properly architect and manage their information security systems and comply with the Federal Data Security Modernization Deed (FISMA). Information technology offers an all-encompassing catalog of controls to strengthen security and privacy.

4. How many controls are outlined in NIST 800-53?

NIST 800-53 has 20 families of controls comprised of over 1,000 separate controls. Each family is related to a specific topic, such as admission control.

5. What is the electric current version of NIST 800-53?

NIST 800-53 Revision 5 was published in September 2020.

6. Who must comply with NIST 800-53?

NIST 800-53 is mandatory but for federal data systems across all agencies and organizations. However, the guidelines are very useful for state, local and tribal governments and private companies as well.

Former VP of Client Success at Netwrix. He has a diverse background built over 20 years in the software industry, having held CEO, COO, and VP Production Management titles at multiple companies focused on security, compliance, and increasing the productivity of It teams.

slapoffskivised1951.blogspot.com

Source: https://blog.netwrix.com/2021/03/03/nist-800-53/

Share this post