Although NIST’s 800-53 guidance previously referred to federal IT systems, any organization can (and probably should) use the institute’s guidance to ensure compliance and put proper security controls in place.
We developed a checklist with controls to secure user identities and their access to resources across an environment. Read on to learn about NIST SP 800-53 and use the checklist to prepare for compliance.
What is the NIST SP 800-53?
The National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP 800-53) is a set of information security standards and controls for all U.S. Federal IT systems except for those related to United States national security. NIST 800-53 covers the Risk Management Framework steps, including selecting a controls baseline and adapting those controls following risk assessment results. Some of the Control Families included in NIST 800-53 are access control, incident response, continuity, and disaster recovery. NIST develops and issues standards and guidelines to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA).
The NIST SP 800-53 is currently on its fifth revision and was last updated in September 2020 after a lengthy delay. The original draft of revision five was released in August of 2017. The wait was due to disagreement among the Office of Information and Regulatory Affairs (OIRA) and other U.S. agencies. The security controls are broken up by low-impact, moderate-impact, and high-impact.
When revision three was implemented, it focused on a simplified, six-step risk management framework. It introduced security controls and enhancements for cyber threats. It also provided recommendations for prioritizing security controls during deployment.
Revision four was introduced in 2012 when the world was rapidly expanding the use of technology. Key additions avoided insider threats, dealing with social networking, mobile devices, and cloud computing strategies.
In revision five, the term “federal” was removed to emphasize that all organizations should consider these controls. It also clarified the relationship between security and privacy to improve the selection of controls necessary to address modern security and privacy risks.
NIST 800-53 Compliance Checklist
There are four key steps when preparing for NIST 800-53 compliance. Although the list of compliance measures is long and exhaustive, these steps will put your organization on the right track when starting to plan for the process.
1. Discover & Clarify Sensitive Data
The first step an organization must take when developing a plan for NIST 800-53 compliance is to take an in-depth look at the sensitive data in its network and cloud applications. Without knowing where sensitive data lives and what an organization has, an IT team would struggle to manage a breach or even know where to begin looking.
2. Map Data & Permissions
As part of discovering and clarifying sensitive data, organizations must map out their data (internal servers, cloud services, etc.) and who has access. During this mapping, organizations should consider reducing the number of employees who have access to sensitive data to prevent future breaches.
3. Manage Access Control
Managing access control isn’t just about understanding who can access sensitive data, but also understanding how and where they can access it. Organizations should consider requiring multi-factor authentication (MFA) systems when users log into critical services. If a user’s password is compromised, the two-factor authentication system will provide the organization with an additional security layer. VPNs should also be considered — so internal access servers remotely encrypt the traffic and limit the use of public web servers.
4. Monitor Data, Files, & Activity
An organization in compliance with NIST 800-53 should implement systems that monitor all company data, critical files, and activity across the network. Controls should be in place to catch strange access locations like logging in from another country or suddenly moving large amounts of data from different company locations. If there’s a problem, the IT department should be alerted, and action can be taken to mitigate the issues.
This checklist is merely to get an organization to design operations and internal networks to meet NIST 800-53 compliance. The full report should be consulted when an organization moves into full compliance operations, as it is quite exhaustive. When moving into compliance, the critical thing to remember is information security requires the entire company to focus on it and make sure company data is protected at all times. To learn more about NIST recommendations, read this blog on the institute’s memorized secrets guidelines.
JumpCloud also offers a comprehensive, cloud-based directory platform to secure user identities, resource access, and devices — which you can use to help you meet NIST compliance by locking down access control and monitoring event activity across your environment. Learn more about using a cloud directory platform to secure your environment and achieve compliance.