NIST: 800-53 Compliance Checklist

Written by David Worthington on April 17, 2023

Share This Article


NIST’s 800-53 guidance is commonly associated with federal IT systems, but any organization can (and probably should) use the institute’s guidance to ensure compliance by putting baseline security controls in place.

We developed a checklist with controls to secure user identities and their access to resources across an environment. Read on to learn about NIST SP 800-53 and use the checklist to prepare for compliance. 

What Is the NIST SP 800-53?

The National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP 800-53) is a set of information security standards and controls for all U.S. federal IT systems except for those related to United States national security. NIST 800-53 covers the Risk Management Framework steps, including selecting a controls baseline and adapting those controls following risk assessment results. Some of the Control Families included in NIST 800-53 are access control, incident response, continuity, and disaster recovery. NIST develops and issues standards and guidelines to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA).

The NIST SP 800-53 is currently on its fifth revision and was last updated in September 2020. The security controls are broken up by low-impact, moderate-impact, and high-impact.

NIST: 800-53 Revision History

When revision three was implemented, it focused on a simplified, six-step risk management framework. It introduced security controls and enhancements for cyber threats. It also provided recommendations for prioritizing security controls during deployment.

Revision four was introduced in 2012 when technology was evolving rapidly. Key additions avoided insider threats, dealing with social networking, mobile devices, and cloud computing strategies.

In revision five, the term “federal” was removed to emphasize that all organizations should consider these controls. It also clarified the relationship between security and privacy to improve the selection of controls necessary to address modern security and privacy risks.

NIST: 800-53 Checklist

NIST 800-53 provides a comprehensive collection of security controls to protect the confidentiality, integrity, and availability (CIA) of information systems. Here’s a checklist to help you achieve compliance with the standard:

Identification and Access Management (IAM)

  • Develop an access control policy that defines access control requirements, roles, and responsibilities. This should follow the principle of least privilege where access is restricted to an as-needed basis; commonly, assigned by attributes or roles. A Zero Trust security strategy helps to ensure that users are who they present themselves to be.
    • Use multi-factor authentication (MFA) throughout your environment.
    • Monitor and audit user activity to detect and respond to unauthorized access.
    • Limit unsuccessful login attempts.
    • Disable unused accounts and ensure that you have a program in place for identity lifecycle management.
    • Implement separation of duties by making roles as granular as possible and strictly limiting access to “global admin” level accounts.
    • Use strong passphrases, backed by a password manager. Never use a built-in browser-based password manager. Consider migrating to modern authentication to eliminate passwords altogether by adopting certificates, hardware devices, or services that take advantage of Trusted Platform Modules (TPMs). Password aging can be a controversial topic with some vendors and security professionals suggesting that it weakens security by introducing bad password hygiene. However, NIST 800-53 recommends rotating passwords every 90 days.
  • Conduct periodic access reviews and consider using services that provide attestation for the results. That process will help to identify access that might be risky or inappropriate. Identities are your true perimeter whether your resources are cloud-based or not.

Network Security

Let’s preface this section by stating that small and medium-sized enterprises (SMEs) may not be able to afford, implement, or support advanced security systems. A real security operations center (SOC) constitutes a multimillion-dollar investment. It’s advisable to perform the basics well and avoid security tool sprawl, because signals could be dismissed or missed altogether.

Now, on to the NIST 800-53 checklist:

  • Develop and implement a formal system and communications protection policy. Policies are evidence of your commitment to compliance(s).
  • Implement firewalls (local and at the network perimeter).
  • Implement intrusion detection and prevention systems (IDS/IPS) and monitor all log activity using security information and event management (SIEM). Note: these are the systems we referred to above that may not be feasible for an SME to support.
  • Encrypt sensitive data in transit by using systems such as VPNs or software-defined WAN (SD-WAN) and Secure Access Service Edge (SASE) for remote access.
  • Implement secure configurations such as security baselines and restrict legacy protocols that aren’t necessary. Use the strongest protocol possible and enable MFA.
  • Monitor and log all network activity using a SIEM.
  • Restrict access to switches and other network devices.

Device Management

Devices are gateways to your resources. Consider this: Would you make investments in cybersecurity only to leave a gap where unmanaged devices can access your most valuable assets? Manage your devices with policies, patch management, and safeguard against malware.

  • Implement integrity checks on all software and firmware. We’d also recommend establishing a baseline device posture through policies across your fleet.
  • Monitor and log all system changes.
  • Develop and implement a maintenance policy for your devices.
  • Implement malware protection such as Extended Detection and Response (XDR) to detect malware-less attacks that exploit weaknesses in authentication and access control. These have become more common in cloud environments.
  • Implement software and firmware whitelisting/blacklisting; remove unnecessary software from your devices and have awareness of your software supply chain. Many SMEs may uncover shadow IT, where users have installed unauthorized apps to solve business problems. Always test software prior to its deployment.
  • Conduct regular vulnerability scans and patch everything. Remediations are a good solution (after considering the potential impacts) when a vendor patch isn’t handy.

A bonus tip from JumpCloud: Only buy hardware from legitimate vendors and be wary of secondhand or low-cost devices that may be counterfeit or possibly even compromised by bad actors.

Configuration Management

  • Establish configuration management procedures to ensure that all hardware and software have a secure baseline. You can reference industry or vendor benchmarks for help.
  • Implement a change control process to track and approve changes to system components. Monitor your systems for any unauthorized configuration changes.
  • Conduct periodic configuration audits.

Storage Media Protection

  • Develop and implement a media protection policy.
    • Consider blocking unknown USB devices, because rogue devices can impersonate legitimate hardware to breach your security.
  • Implement physical access controls to media. For instance, physical security controls such as combination locks can be deployed to restrict access to a server room.
  • Protect media during transport and storage. This is particularly important with backups, because some organizations fail to encrypt them.
  • Sanitize media before disposal.

Physical Security

  • Implement physical security controls to protect the system from unauthorized access, theft, or damage. Account for environmental hazards such as fires, floods, or tornados. For instance, don’t use a wet fire suppression system in a server room or place valuable infrastructure in a low-lying area that’s below the waterline.
  • Implement physical access controls to facilities.
    • Implement environmental controls such as appropriate HVAC. Note that a server room will usually require a dedicated HVAC system. Consider cloud providers to reduce your facility and operating budget costs.
    • Implement power backup and recovery systems such as generators or UPSs.
    • Conduct periodic physical security audits. For example, can someone who lacks an ID badge just walk right into your facilities and make it to the server room? You’d be surprised at the level of access that someone with a smiling face bearing a box of donuts can obtain.

Security Awareness Training

  • Develop a security awareness and training program for employees, contractors, and other stakeholders. There are many resources to accomplish this, including free tools. Commercial offers will oftentimes record when training is completed or simulate phishing attacks.
  • Ensure that the program includes policies and procedures for safeguarding sensitive information. That includes a clean desk policy and using laptop privacy screens.
  • Train employees on how to recognize and respond to security incidents and report them to the appropriate people. Consider adopting a no-blame reporting culture.

Auditing and Accountability

  • Implement audit and accountability controls to monitor and track system activity. Protect the integrity of those logs and limit access to unauthorized parties.
  • Collect, analyze, and retain audit logs per your retention requirements. NIST specifies a minimum 3-year period, per FISMA’s guidelines.

The IT Manager’s Guide to Data Compliance Hygiene

How to ace your audit

Risk Assessment

  • Conduct a risk assessment to identify and document potential risks for remediation or acceptance. That involves analyzing the potential impacts of those risks. Some remediations aren’t worth the cost; refer to appropriate risk management guidelines.
  • Regularly review and update your risk assessment.

Contingency/Disaster Recovery Planning

  • Create and implement a contingency plan to ensure that critical business functions can continue in the event of a disruption. Test the plan and conduct tabletop exercises. For instance, a satellite office can be designated as a “warm site” to continue operations.
  • Develop and maintain your plans.
  • Create a formal incident response plan. Several compliance standards, certain industries, and even some customers may require this to be in place.
    • Establish an incident response team and designate roles and responsibilities.
    • Conduct regular incident response exercises to test the plan and ensure readiness.
  • Perform a retrospective of all documented incidents and the actions taken in response.

Remember, this checklist is intended to help SMEs design operations and internal networks to meet NIST 800-53 compliance. The full report should be consulted when an organization moves into full compliance operations. Information security is a core business activity that requires organization-wide buy-in, on a continual basis.

Try JumpCloud for IAM

JumpCloud offers a comprehensive, cloud-based directory platform to secure user identities, resource access, and devices — which you can use to help you meet NIST compliance by managing access control and monitoring event activity across your environment. JumpCloud treats identities as the perimeter and devices as gateways. Learn more about using an open directory platform to secure your environment and achieve compliance.

Need more tailored, white-glove implementation assistance? Schedule a free 30-minute technical consultation to learn about the service offerings available to you.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter