Are you National Institute of Standards and Technology (NIST) 800-53 compliant?
By Amardip Deshpande – CloudGuard, Research Team, published January 13, 2023
Although we’re in the cloud age and almost all companies have their workloads in the cloud and are aware of how cyber-attacks and cyber-crimes are increasing day by day, not all these organizations are able to cope up with information security and privacy. On the other hand, not all these organizations have the cybersecurity expertise to build their own security team, processes, and systems to protect, secure, and monitor all the assets of their infrastructure.
That’s why we have frameworks and standards to follow, after which we’ll be able to say that “we’re compliant” with a particular framework. One of the frameworks we’ll be discussing in this blog is the NIST framework and specifically NIST 800-53 rev5.
So, what is NIST, and what is NIST 800-53?
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Commerce Department and responsible for developing and enabling information security standards and guidelines across federal agencies. NIST publishes the Frameworks for Improving Critical Infrastructure for various levels of organizations. NIST has various standards for several fields; here we’ll be focusing on the NIST cybersecurity framework and specifically NIST Special Publication 800-53 revision 5 (NIST SP 800-53 rev5).
The Special Publication 800-53 series provides research, guidelines, and outreach efforts in information systems security and privacy. As per the NIST, revision 5 of the SP 800-53 has more emphasis on privacy and security aspects. It is a layered approach for the development of the security and privacy controls needed to strengthen and support the federal government and every sector of critical infrastructure.
Why NIST 800-53 rev 5?
The main goals of the development of rev5 of NIST 800-53 are as follows:
- Providing an all-inclusive and mutable collection of controls for current and future protection based on changing technology and threats
- Helping organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974 [PRIVACT], OMB policies (e.g., [OMB A-130]), and designated Federal Information Processing Standards (FIPS), among others
- Improving communication among organizations by providing a common guideline that supports the discussion of security, privacy, and risk management concepts
In addition to its goals, any private organization can also adopt it using its vast range of privacy and security control families to protect their privacy and security of their information.
Who should be compliant with NIST 800-53?
NIST 800-53 standard is mandatory for all federal information systems, organizations, and agencies in the USA. Any organization that works with the federal government is also required to comply with NIST 800-53 to maintain the relationship.
However, since the framework serves solid guidelines to help implement, improve and maintain the security and privacy best practices, it can be used by commercial entities, including industry partners, producing component products and systems, creating security and privacy technologies.
If you are not required to maintain NIST, anyone operating in the public cloud should maintain a level of compliance with a framework relevant to the business requirements. NIST can help to deter account takeovers or data breaches which often occur becauseto lack of visibility of misconfigurations.
The Controls
NIST 800-53 rev5 offers almost 300 privacy and security controls distributed among 20 different control families. The controls are designed to achieve a consistent level of protection and strengthen the integrity across federal information systems. Below are the 20 families of controls;
ID | Control family | Summary |
AC | Access Control | Access management, account management, system privileges. |
AT | Awareness and Training | User training on security threats, training for privileged users. |
AU | Audit and Accountability | Audit policies and procedures, audit logging, audit report generation, and protection of audit information. |
CA | Assessment, Authorization, and Monitoring | Execution of security assessments, authorizations, continuous monitoring, and system interconnections. |
CM | Configuration Management | Changes to information system, component inventories and security impact analysis control. |
CP | Contingency Planning | Contingency plan testing, updating, training, and backups, and system reconstitution. |
IA | Identification and Authentication | Identification and authentication of organizational and non-organizational users. |
IR | Incident Response | Incident response training, testing, monitoring, reporting, and response plan. |
MA | Maintenance | Maintaining organizational systems and the tools used. |
MP | Media Protection | Access, marking, storage, transport policies, sanitization, and defined organizational media use. |
PE | Physical and Environmental Protection | Physical access authorizations, monitoring, visitor records, power, lighting, fire protection, and water damage protection. |
PL | Planning | Security and privacy plans for the system, social media use, networking restrictions. |
PM | Program Management | Infrastructure plan, information security program plan,risk management strategy, and enterprise architecture. |
PS | Personnel Security | Personnel screening, termination and transfer,access agreements, sanctions. |
PT | Personally Identifiable Information Processing and Transparency | Personally identifiable information across the information life cycle. |
RA | Risk Assessment | Security categorization, risk assessment, scanning vulnerabilities. |
SA | System and Services Acquisition | System documentation controls, development configuration management controls, and developer security testing and evaluation controls. |
SC | System and Communications Protection | Boundary protection, protection of information at rest, cryptographic protection, denial of service protection. |
SI | System and Information integrity | Malicious code protection, system monitoring, security alerts, software and firmware integrity, and spam protection. |
SR | Supply Chain Risk Management | Supply chain risk management, process,tools and methods. |
Table 1: The Controls
Are you compliant?
Basically, when we talk about frameworks or standards, it all comes down to being compliant to them. Now that we know all of NIST and its controls, it’s time to check whether we’re compliant or not.
Simply onboard the cloud environment to Check Point CloudGuard and find out the compliance of your environment for the NIST-800-53 rev5.
Check out the below image reflecting one of the assessment results on an AWS environment.
You can easily check the compliance score, severity, type of entities checked, and their compliance.
You can go further and check which rules are failing, which are noncompliant and their remediation in order to achieve compliance:
Tips and tricks
Here are some of the tips and tricks you can follow to simplify and understand adherence to the NIST 800-53 rev5 framework.
- Create organization-wide policies and procedures for security and privacy best practices.
- Categorize your data – Sensitive, non-sensitive, public, etc.
- Develop and maintain processes to manage assets, user privileges, network access, etc.
- Train and spread awareness to all the users/employees about the organization’s policies and procedures.
- Finally, make sure you are working towards achieving compliance at all times.
Summary
NIST describes United States federal government policies, procedures, and guidelines for information system security. The NIST 800-53 rev5 talks about the need and gives guidelines for organizations to implement, maintain, and improve information security and privacy. The NIST 800-53 rev5 has almost 300 controls spread into 20 families that organizations can choose depending on the nature of the organization. Even though NIST compliance is mandatory for federal offices, any government or private organization can benefit from this framework.
With Check Point CloudGuard, you are able to comply with such standards in an easier and more straightforward manner.
For a free cloud security assessment includ ing NIST 800-53 rev5, please click here.