{"id":48313,"date":"2023-04-17T10:10:12","date_gmt":"2023-04-17T14:10:12","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=48313"},"modified":"2024-08-06T10:22:38","modified_gmt":"2024-08-06T14:22:38","slug":"nist-800-53-compliance-checklist","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/nist-800-53-compliance-checklist","title":{"rendered":"NIST: 800-53 Compliance Checklist"},"content":{"rendered":"\n
NIST\u2019s 800-53 guidance is commonly associated with federal IT systems, but any organization can (and probably should) use the institute\u2019s guidance to ensure compliance by putting baseline security controls in place.<\/p>\n\n\n\n
We developed a checklist with controls to secure user identities and their access to resources across an environment. Read on to learn about NIST SP 800-53 and use the checklist to prepare for compliance. <\/p>\n\n\n\n
The National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP 800-53) is a set of information security standards and controls for all U.S. federal IT systems except for those related to United States national security. NIST 800-53 covers the Risk Management Framework steps, including selecting a controls baseline and adapting those controls following risk assessment results. Some of the Control Families included in NIST 800-53 are access control, incident response, continuity, and disaster recovery. NIST develops and issues standards and guidelines to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA)<\/a>.<\/p>\n\n\n\n The NIST SP 800-53 is currently on its fifth revision and was last updated in September 2020. The security controls are broken up by low-impact, moderate-impact, and high-impact.<\/p>\n\n\n\n When revision three was implemented, it focused on a simplified, six-step risk management framework. It introduced security controls and enhancements for cyber threats. It also provided recommendations for prioritizing security controls during deployment.<\/p>\n\n\n\n Revision four was introduced in 2012 when technology was evolving rapidly. Key additions avoided insider threats, dealing with social networking, mobile devices, and cloud computing strategies.<\/p>\n\n\n\n In revision five, the term \u201cfederal\u201d was removed to emphasize that all organizations should consider these controls. It also clarified the relationship between security and privacy to improve the selection of controls necessary to address modern security and privacy risks.<\/p>\n\n\n\n NIST 800-53 provides a comprehensive collection of security controls to protect the confidentiality, integrity, and availability (CIA) of information systems. Here\u2019s a checklist to help you achieve compliance with the standard:<\/p>\n\n\n\n Let\u2019s preface this section by stating that small and medium-sized enterprises (SMEs) may not be able to afford, implement, or support advanced security systems. A real security operations center (SOC) constitutes a multimillion-dollar investment. It\u2019s advisable to perform the basics<\/a> well and avoid security tool sprawl<\/a>, because signals could be dismissed or missed altogether.<\/p>\n\n\n\n Now, on to the NIST 800-53 checklist:<\/p>\n\n\n\n Devices are gateways to your resources. Consider this: Would you make investments in cybersecurity only to leave a gap where unmanaged devices can access your most valuable assets? Manage your devices with policies, patch management<\/a>, and safeguard against malware.<\/p>\n\n\n\n A bonus tip from JumpCloud: Only buy hardware from legitimate vendors and be wary of secondhand or low-cost devices that may be counterfeit or possibly even compromised by bad actors.<\/p>\n<\/blockquote>\n\n\n\nNIST: 800-53 Revision History<\/h2>\n\n\n\n
NIST: 800-53 Checklist<\/h2>\n\n\n\n
Identification and Access Management (IAM)<\/h3>\n\n\n\n
\n
\n
Network Security<\/h3>\n\n\n\n
\n
Device Management<\/h3>\n\n\n\n
\n
\n
Configuration Management<\/h4>\n\n\n\n
\n
Storage Media Protection<\/h3>\n\n\n\n
\n
\n
Physical Security<\/h3>\n\n\n\n
\n
\n
Security Awareness Training<\/h3>\n\n\n\n
\n
Auditing and Accountability<\/h3>\n\n\n\n
\n