The NIST SP 800-53 is currently on its fifth revision and was last updated in September 2020. The security controls are broken up by low-impact, moderate-impact, and high-impact.<\/p>\n\n\n\n
NIST: 800-53 Revision History<\/h2>\n\n\n\n
When revision three was implemented, it focused on a simplified, six-step risk management framework. It introduced security controls and enhancements for cyber threats. It also provided recommendations for prioritizing security controls during deployment.<\/p>\n\n\n\n
Revision four was introduced in 2012 when technology was evolving rapidly. Key additions avoided insider threats, dealing with social networking, mobile devices, and cloud computing strategies.<\/p>\n\n\n\n
In revision five, the term \u201cfederal\u201d was removed to emphasize that all organizations should consider these controls. It also clarified the relationship between security and privacy to improve the selection of controls necessary to address modern security and privacy risks.<\/p>\n\n\n\n
NIST: 800-53 Checklist<\/h2>\n\n\n\n
NIST 800-53 provides a comprehensive collection of security controls to protect the confidentiality, integrity, and availability (CIA) of information systems. Here\u2019s a checklist to help you achieve compliance with the standard:<\/p>\n\n\n\n
Identification and Access Management (IAM)<\/h3>\n\n\n\n\n- Develop an access control policy that defines access control requirements, roles, and responsibilities. This should follow the principle of least privilege where access is restricted to an as-needed basis; commonly, assigned by attributes<\/a> or roles. A Zero Trust security strategy<\/a> helps to ensure that users are who they present themselves to be.\n
\n- Use multi-factor authentication<\/a> (MFA) throughout your environment.<\/li>\n\n\n\n
- Monitor and audit user activity to detect and respond to unauthorized access.<\/li>\n\n\n\n
- Limit unsuccessful login attempts.<\/li>\n\n\n\n
- Disable unused accounts and ensure that you have a program in place for identity lifecycle management<\/a>.<\/li>\n\n\n\n
- Implement separation of duties by making roles as granular as possible and strictly limiting access to \u201cglobal admin\u201d level accounts.<\/li>\n\n\n\n
- Use strong passphrases, backed by a password manager. Never use a built-in browser-based password manager. Consider migrating to modern authentication to eliminate passwords altogether<\/a> by adopting certificates, hardware devices, or services that take advantage of Trusted Platform Modules (TPMs). Password aging can be a controversial topic with some vendors and security professionals suggesting that it weakens<\/em> security by introducing bad password hygiene. However, NIST 800-53 recommends rotating passwords every 90 days.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Conduct periodic access reviews and consider using services that provide attestation for the results. That process will help to identify access that might be risky or inappropriate. Identities are your true perimeter whether your resources are cloud-based or not.<\/li>\n<\/ul>\n\n\n\n
Network Security<\/h3>\n\n\n\n
Let\u2019s preface this section by stating that small and medium-sized enterprises (SMEs) may not be able to afford, implement, or support advanced security systems. A real security operations center (SOC) constitutes a multimillion-dollar investment. It\u2019s advisable to perform the basics<\/a> well and avoid security tool sprawl<\/a>, because signals could be dismissed or missed altogether.<\/p>\n\n\n\nNow, on to the NIST 800-53 checklist:<\/p>\n\n\n\n
\n- Develop and implement a formal system and communications protection policy. Policies are evidence of your commitment to compliance(s).<\/li>\n\n\n\n
- Implement firewalls (local and at the network perimeter).<\/li>\n\n\n\n
- Implement intrusion detection and prevention systems (IDS\/IPS) and monitor all log activity using security information and event management (SIEM). Note: these are the systems we referred to above that may not be feasible for an SME to support.<\/em><\/li>\n\n\n\n
- Encrypt sensitive data in transit by using systems such as VPNs or software-defined WAN (SD-WAN) and Secure Access Service Edge (SASE) for remote access.<\/li>\n\n\n\n
- Implement secure configurations such as security baselines and restrict legacy protocols that aren\u2019t necessary. Use the strongest protocol possible and enable MFA.<\/li>\n\n\n\n
- Monitor and log all network activity using a SIEM.<\/li>\n\n\n\n
- Restrict access to switches and other network devices.<\/li>\n<\/ul>\n\n\n\n
Device Management<\/h3>\n\n\n\n
Devices are gateways to your resources. Consider this: Would you make investments in cybersecurity only to leave a gap where unmanaged devices can access your most valuable assets? Manage your devices with policies, patch management<\/a>, and safeguard against malware.<\/p>\n\n\n\n\n- Implement integrity checks on all software and firmware. We\u2019d also recommend establishing a baseline device posture through policies across your fleet.<\/li>\n\n\n\n
- Monitor and log all system changes.<\/li>\n\n\n\n
- Develop and implement a maintenance policy for your devices.<\/li>\n\n\n\n
- Implement malware protection such as Extended Detection and Response (XDR) to detect malware-less attacks that exploit weaknesses in authentication and access control. These have become more common in cloud environments.<\/li>\n\n\n\n
- Implement software and firmware whitelisting\/blacklisting; remove unnecessary software from your devices and have awareness of your software supply chain. Many SMEs may uncover shadow IT<\/a>, where users have installed unauthorized apps to solve business problems. Always test software prior to its deployment.<\/li>\n\n\n\n
- Conduct regular vulnerability scans and patch everything. Remediations are a good solution (after considering the potential impacts) when a vendor patch isn\u2019t handy.<\/li>\n<\/ul>\n\n\n\n
\nA bonus tip from JumpCloud: Only buy hardware from legitimate vendors and be wary of secondhand or low-cost devices that may be counterfeit or possibly even compromised by bad actors.<\/p>\n<\/blockquote>\n\n\n\n
Configuration Management<\/h4>\n\n\n\n\n- Establish configuration management procedures to ensure that all hardware and software have a secure baseline. You can reference industry or vendor benchmarks for help.<\/li>\n\n\n\n
- Implement a change control process to track and approve changes to system components. Monitor your systems for any unauthorized configuration changes.<\/li>\n\n\n\n
- Conduct periodic configuration audits.<\/li>\n<\/ul>\n\n\n\n
Storage Media Protection<\/h3>\n\n\n\n\n- Develop and implement a media protection policy.\n
\n- Consider blocking unknown USB devices, because rogue devices can impersonate legitimate hardware to breach your security.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Implement physical access controls to media. For instance, physical security controls such as combination locks can be deployed to restrict access to a server room.<\/li>\n\n\n\n
- Protect media during transport and storage. This is particularly important with backups, because some organizations fail to encrypt them.<\/li>\n\n\n\n
- Sanitize media before disposal.<\/li>\n<\/ul>\n\n\n\n
Physical Security<\/h3>\n\n\n\n\n- Implement physical security controls to protect the system from unauthorized access, theft, or damage. Account for environmental hazards such as fires, floods, or tornados. For instance, don\u2019t use a wet fire suppression system in a server room or place valuable infrastructure in a low-lying area that\u2019s below the waterline.<\/li>\n\n\n\n
- Implement physical access controls to facilities.\n
\n- Implement environmental controls such as appropriate HVAC. Note that a server room will usually require a dedicated HVAC system. Consider cloud providers to reduce your facility and operating budget costs<\/a>.<\/li>\n\n\n\n
- Implement power backup and recovery systems such as generators or UPSs.<\/li>\n\n\n\n
- Conduct periodic physical security audits. For example, can someone who lacks an ID badge just walk right into your facilities and make it to the server room? You\u2019d be surprised at the level of access that someone with a smiling face bearing a box of donuts can obtain.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Security Awareness Training<\/h3>\n\n\n\n\n- Develop a security awareness and training program for employees, contractors, and other stakeholders. There are many resources to accomplish this, including free tools<\/a>. Commercial offers will oftentimes record when training is completed or simulate phishing attacks.<\/li>\n\n\n\n
- Ensure that the program includes policies and procedures for safeguarding sensitive information. That includes a clean desk policy and using laptop privacy screens.<\/li>\n\n\n\n
- Train employees on how to recognize and respond to security incidents and report them to the appropriate people. Consider adopting a no-blame<\/a> reporting culture.<\/li>\n<\/ul>\n\n\n\n
Auditing and Accountability<\/h3>\n\n\n\n\n- Implement audit and accountability controls to monitor and track system activity. Protect the integrity of those logs and limit access to unauthorized parties.<\/li>\n\n\n\n
- Collect, analyze, and retain audit logs per your retention requirements. NIST specifies a minimum 3-year period, per FISMA\u2019s guidelines.<\/li>\n<\/ul>\n\n\n\n\n\n \n
![\"JumpCloud\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/02\/image-1-1-aspect-ratio-160-110-1.png\")
\n <\/div>\n \n \n The IT Manager\u2019s Guide to Data Compliance Hygiene <\/p>\n
\n How to ace your audit <\/p>\n <\/div>\n
\n Get the Guide <\/a>\n <\/div>\n<\/div>\n\n\n\n\nRisk Assessment<\/h4>\n\n\n\n\n- Conduct a risk assessment to identify and document potential risks for remediation or acceptance. That involves analyzing the potential impacts of those risks. Some remediations aren\u2019t worth the cost; refer to appropriate risk management guidelines.<\/li>\n\n\n\n
- Regularly review and update your risk assessment.<\/li>\n<\/ul>\n\n\n\n
Contingency\/Disaster Recovery Planning<\/h3>\n\n\n\n\n- Create and implement a contingency plan to ensure that critical business functions can continue in the event of a disruption. Test the plan and conduct tabletop exercises. For instance, a satellite office can be designated as a \u201cwarm site\u201d to continue operations.<\/li>\n\n\n\n
- Develop and maintain your plans.<\/li>\n\n\n\n
- Create a formal incident response plan. Several compliance standards, certain industries, and even some customers may require this to be in place.\n
\n- Establish an incident response team and designate roles and responsibilities.<\/li>\n\n\n\n
- Conduct regular incident response exercises to test the plan and ensure readiness.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Perform a retrospective of all documented incidents and the actions taken in response.<\/li>\n<\/ul>\n\n\n\n
Remember, this checklist is intended to help SMEs design operations and internal networks to meet NIST 800-53 compliance. The full report<\/a> should be consulted when an organization moves into full compliance operations. Information security is a core business activity that requires organization-wide buy-in, on a continual basis.<\/p>\n\n\n\nTry JumpCloud for IAM<\/h2>\n\n\n\n
JumpCloud offers a comprehensive, cloud-based directory platform to secure user identities, resource access, and devices \u2014 which you can use to help you meet NIST compliance<\/a> by managing access control and monitoring event activity across your environment. JumpCloud treats identities as the perimeter and devices as gateways. Learn more about using an open directory platform to secure your environment and achieve compliance<\/a>.<\/p>\n\n\n\n
- \n
- Use multi-factor authentication<\/a> (MFA) throughout your environment.<\/li>\n\n\n\n
- Monitor and audit user activity to detect and respond to unauthorized access.<\/li>\n\n\n\n
- Limit unsuccessful login attempts.<\/li>\n\n\n\n
- Disable unused accounts and ensure that you have a program in place for identity lifecycle management<\/a>.<\/li>\n\n\n\n
- Implement separation of duties by making roles as granular as possible and strictly limiting access to \u201cglobal admin\u201d level accounts.<\/li>\n\n\n\n
- Use strong passphrases, backed by a password manager. Never use a built-in browser-based password manager. Consider migrating to modern authentication to eliminate passwords altogether<\/a> by adopting certificates, hardware devices, or services that take advantage of Trusted Platform Modules (TPMs). Password aging can be a controversial topic with some vendors and security professionals suggesting that it weakens<\/em> security by introducing bad password hygiene. However, NIST 800-53 recommends rotating passwords every 90 days.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Conduct periodic access reviews and consider using services that provide attestation for the results. That process will help to identify access that might be risky or inappropriate. Identities are your true perimeter whether your resources are cloud-based or not.<\/li>\n<\/ul>\n\n\n\n
Network Security<\/h3>\n\n\n\n
Let\u2019s preface this section by stating that small and medium-sized enterprises (SMEs) may not be able to afford, implement, or support advanced security systems. A real security operations center (SOC) constitutes a multimillion-dollar investment. It\u2019s advisable to perform the basics<\/a> well and avoid security tool sprawl<\/a>, because signals could be dismissed or missed altogether.<\/p>\n\n\n\n
Now, on to the NIST 800-53 checklist:<\/p>\n\n\n\n
- \n
- Develop and implement a formal system and communications protection policy. Policies are evidence of your commitment to compliance(s).<\/li>\n\n\n\n
- Implement firewalls (local and at the network perimeter).<\/li>\n\n\n\n
- Implement intrusion detection and prevention systems (IDS\/IPS) and monitor all log activity using security information and event management (SIEM). Note: these are the systems we referred to above that may not be feasible for an SME to support.<\/em><\/li>\n\n\n\n
- Encrypt sensitive data in transit by using systems such as VPNs or software-defined WAN (SD-WAN) and Secure Access Service Edge (SASE) for remote access.<\/li>\n\n\n\n
- Implement secure configurations such as security baselines and restrict legacy protocols that aren\u2019t necessary. Use the strongest protocol possible and enable MFA.<\/li>\n\n\n\n
- Monitor and log all network activity using a SIEM.<\/li>\n\n\n\n
- Restrict access to switches and other network devices.<\/li>\n<\/ul>\n\n\n\n
Device Management<\/h3>\n\n\n\n
Devices are gateways to your resources. Consider this: Would you make investments in cybersecurity only to leave a gap where unmanaged devices can access your most valuable assets? Manage your devices with policies, patch management<\/a>, and safeguard against malware.<\/p>\n\n\n\n
- \n
- Implement integrity checks on all software and firmware. We\u2019d also recommend establishing a baseline device posture through policies across your fleet.<\/li>\n\n\n\n
- Monitor and log all system changes.<\/li>\n\n\n\n
- Develop and implement a maintenance policy for your devices.<\/li>\n\n\n\n
- Implement malware protection such as Extended Detection and Response (XDR) to detect malware-less attacks that exploit weaknesses in authentication and access control. These have become more common in cloud environments.<\/li>\n\n\n\n
- Implement software and firmware whitelisting\/blacklisting; remove unnecessary software from your devices and have awareness of your software supply chain. Many SMEs may uncover shadow IT<\/a>, where users have installed unauthorized apps to solve business problems. Always test software prior to its deployment.<\/li>\n\n\n\n
- Conduct regular vulnerability scans and patch everything. Remediations are a good solution (after considering the potential impacts) when a vendor patch isn\u2019t handy.<\/li>\n<\/ul>\n\n\n\n
\n
A bonus tip from JumpCloud: Only buy hardware from legitimate vendors and be wary of secondhand or low-cost devices that may be counterfeit or possibly even compromised by bad actors.<\/p>\n<\/blockquote>\n\n\n\n
Configuration Management<\/h4>\n\n\n\n
- \n
- Establish configuration management procedures to ensure that all hardware and software have a secure baseline. You can reference industry or vendor benchmarks for help.<\/li>\n\n\n\n
- Implement a change control process to track and approve changes to system components. Monitor your systems for any unauthorized configuration changes.<\/li>\n\n\n\n
- Conduct periodic configuration audits.<\/li>\n<\/ul>\n\n\n\n
Storage Media Protection<\/h3>\n\n\n\n
- \n
- Develop and implement a media protection policy.\n
- \n
- Consider blocking unknown USB devices, because rogue devices can impersonate legitimate hardware to breach your security.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Implement physical access controls to media. For instance, physical security controls such as combination locks can be deployed to restrict access to a server room.<\/li>\n\n\n\n
- Protect media during transport and storage. This is particularly important with backups, because some organizations fail to encrypt them.<\/li>\n\n\n\n
- Sanitize media before disposal.<\/li>\n<\/ul>\n\n\n\n
Physical Security<\/h3>\n\n\n\n
- \n
- Implement physical security controls to protect the system from unauthorized access, theft, or damage. Account for environmental hazards such as fires, floods, or tornados. For instance, don\u2019t use a wet fire suppression system in a server room or place valuable infrastructure in a low-lying area that\u2019s below the waterline.<\/li>\n\n\n\n
- Implement physical access controls to facilities.\n
- \n
- Implement environmental controls such as appropriate HVAC. Note that a server room will usually require a dedicated HVAC system. Consider cloud providers to reduce your facility and operating budget costs<\/a>.<\/li>\n\n\n\n
- Implement power backup and recovery systems such as generators or UPSs.<\/li>\n\n\n\n
- Conduct periodic physical security audits. For example, can someone who lacks an ID badge just walk right into your facilities and make it to the server room? You\u2019d be surprised at the level of access that someone with a smiling face bearing a box of donuts can obtain.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Security Awareness Training<\/h3>\n\n\n\n
- \n
- Develop a security awareness and training program for employees, contractors, and other stakeholders. There are many resources to accomplish this, including free tools<\/a>. Commercial offers will oftentimes record when training is completed or simulate phishing attacks.<\/li>\n\n\n\n
- Ensure that the program includes policies and procedures for safeguarding sensitive information. That includes a clean desk policy and using laptop privacy screens.<\/li>\n\n\n\n
- Train employees on how to recognize and respond to security incidents and report them to the appropriate people. Consider adopting a no-blame<\/a> reporting culture.<\/li>\n<\/ul>\n\n\n\n
Auditing and Accountability<\/h3>\n\n\n\n
- \n
- Implement audit and accountability controls to monitor and track system activity. Protect the integrity of those logs and limit access to unauthorized parties.<\/li>\n\n\n\n
- Collect, analyze, and retain audit logs per your retention requirements. NIST specifies a minimum 3-year period, per FISMA\u2019s guidelines.<\/li>\n<\/ul>\n\n\n\n\n\n\n\n <\/div>\n \n
\n The IT Manager\u2019s Guide to Data Compliance Hygiene <\/p>\n
\n How to ace your audit <\/p>\n <\/div>\n
\n Get the Guide <\/a>\n <\/div>\n<\/div>\n\n\n\n\nRisk Assessment<\/h4>\n\n\n\n
- \n
- Conduct a risk assessment to identify and document potential risks for remediation or acceptance. That involves analyzing the potential impacts of those risks. Some remediations aren\u2019t worth the cost; refer to appropriate risk management guidelines.<\/li>\n\n\n\n
- Regularly review and update your risk assessment.<\/li>\n<\/ul>\n\n\n\n
Contingency\/Disaster Recovery Planning<\/h3>\n\n\n\n
- \n
- Create and implement a contingency plan to ensure that critical business functions can continue in the event of a disruption. Test the plan and conduct tabletop exercises. For instance, a satellite office can be designated as a \u201cwarm site\u201d to continue operations.<\/li>\n\n\n\n
- Develop and maintain your plans.<\/li>\n\n\n\n
- Create a formal incident response plan. Several compliance standards, certain industries, and even some customers may require this to be in place.\n
- \n
- Establish an incident response team and designate roles and responsibilities.<\/li>\n\n\n\n
- Conduct regular incident response exercises to test the plan and ensure readiness.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Perform a retrospective of all documented incidents and the actions taken in response.<\/li>\n<\/ul>\n\n\n\n
Remember, this checklist is intended to help SMEs design operations and internal networks to meet NIST 800-53 compliance. The full report<\/a> should be consulted when an organization moves into full compliance operations. Information security is a core business activity that requires organization-wide buy-in, on a continual basis.<\/p>\n\n\n\n
Try JumpCloud for IAM<\/h2>\n\n\n\n
JumpCloud offers a comprehensive, cloud-based directory platform to secure user identities, resource access, and devices \u2014 which you can use to help you meet NIST compliance<\/a> by managing access control and monitoring event activity across your environment. JumpCloud treats identities as the perimeter and devices as gateways. Learn more about using an open directory platform to secure your environment and achieve compliance<\/a>.<\/p>\n\n\n\n
- Implement environmental controls such as appropriate HVAC. Note that a server room will usually require a dedicated HVAC system. Consider cloud providers to reduce your facility and operating budget costs<\/a>.<\/li>\n\n\n\n
- Develop and implement a media protection policy.\n
- Conduct regular vulnerability scans and patch everything. Remediations are a good solution (after considering the potential impacts) when a vendor patch isn\u2019t handy.<\/li>\n<\/ul>\n\n\n\n