NIST\u2019s 800-53 guidance is commonly associated with federal IT systems, but any organization can (and probably should) use the institute\u2019s guidance to ensure compliance by putting baseline security controls in place.<\/p>\n\n\n\n
We developed a checklist with controls to secure user identities and their access to resources across an environment. Read on to learn about NIST SP 800-53 and use the checklist to prepare for compliance. <\/p>\n\n\n\n
The National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP 800-53) is a set of information security standards and controls for all U.S. federal IT systems except for those related to United States national security. NIST 800-53 covers the Risk Management Framework steps, including selecting a controls baseline and adapting those controls following risk assessment results. Some of the Control Families included in NIST 800-53 are access control, incident response, continuity, and disaster recovery. NIST develops and issues standards and guidelines to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA)<\/a>.<\/p>\n\n\n\n
When revision three was implemented, it focused on a simplified, six-step risk management framework. It introduced security controls and enhancements for cyber threats. It also provided recommendations for prioritizing security controls during deployment.<\/p>\n\n\n\n
Revision four was introduced in 2012 when technology was evolving rapidly. Key additions avoided insider threats, dealing with social networking, mobile devices, and cloud computing strategies.<\/p>\n\n\n\n
In revision five, the term \u201cfederal\u201d was removed to emphasize that all organizations should consider these controls. It also clarified the relationship between security and privacy to improve the selection of controls necessary to address modern security and privacy risks.<\/p>\n\n\n\n
NIST 800-53 provides a comprehensive collection of security controls to protect the confidentiality, integrity, and availability (CIA) of information systems. Here\u2019s a checklist to help you achieve compliance with the standard:<\/p>\n\n\n\n
Let\u2019s preface this section by stating that small and medium-sized enterprises (SMEs) may not be able to afford, implement, or support advanced security systems. A real security operations center (SOC) constitutes a multimillion-dollar investment. It\u2019s advisable to perform the basics<\/a> well and avoid security tool sprawl<\/a>, because signals could be dismissed or missed altogether.<\/p>\n\n\n\n
Now, on to the NIST 800-53 checklist:<\/p>\n\n\n\n
Devices are gateways to your resources. Consider this: Would you make investments in cybersecurity only to leave a gap where unmanaged devices can access your most valuable assets? Manage your devices with policies, patch management<\/a>, and safeguard against malware.<\/p>\n\n\n\n
\nA bonus tip from JumpCloud: Only buy hardware from legitimate vendors and be wary of secondhand or low-cost devices that may be counterfeit or possibly even compromised by bad actors.<\/p>\n<\/blockquote>\n\n\n\n
Configuration Management<\/h4>\n\n\n\n
\n
- Establish configuration management procedures to ensure that all hardware and software have a secure baseline. You can reference industry or vendor benchmarks for help.<\/li>\n\n\n\n
- Implement a change control process to track and approve changes to system components. Monitor your systems for any unauthorized configuration changes.<\/li>\n\n\n\n
- Conduct periodic configuration audits.<\/li>\n<\/ul>\n\n\n\n
Storage Media Protection<\/h3>\n\n\n\n
\n
- Develop and implement a media protection policy.\n
\n
- Consider blocking unknown USB devices, because rogue devices can impersonate legitimate hardware to breach your security.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Implement physical access controls to media. For instance, physical security controls such as combination locks can be deployed to restrict access to a server room.<\/li>\n\n\n\n
- Protect media during transport and storage. This is particularly important with backups, because some organizations fail to encrypt them.<\/li>\n\n\n\n
- Sanitize media before disposal.<\/li>\n<\/ul>\n\n\n\n
Physical Security<\/h3>\n\n\n\n
\n
- Implement physical security controls to protect the system from unauthorized access, theft, or damage. Account for environmental hazards such as fires, floods, or tornados. For instance, don\u2019t use a wet fire suppression system in a server room or place valuable infrastructure in a low-lying area that\u2019s below the waterline.<\/li>\n\n\n\n
- Implement physical access controls to facilities.\n
\n
- Implement environmental controls such as appropriate HVAC. Note that a server room will usually require a dedicated HVAC system. Consider cloud providers to reduce your facility and operating budget costs<\/a>.<\/li>\n\n\n\n
- Implement power backup and recovery systems such as generators or UPSs.<\/li>\n\n\n\n
- Conduct periodic physical security audits. For example, can someone who lacks an ID badge just walk right into your facilities and make it to the server room? You\u2019d be surprised at the level of access that someone with a smiling face bearing a box of donuts can obtain.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Security Awareness Training<\/h3>\n\n\n\n
\n
- Develop a security awareness and training program for employees, contractors, and other stakeholders. There are many resources to accomplish this, including free tools<\/a>. Commercial offers will oftentimes record when training is completed or simulate phishing attacks.<\/li>\n\n\n\n
- Ensure that the program includes policies and procedures for safeguarding sensitive information. That includes a clean desk policy and using laptop privacy screens.<\/li>\n\n\n\n
- Train employees on how to recognize and respond to security incidents and report them to the appropriate people. Consider adopting a no-blame<\/a> reporting culture.<\/li>\n<\/ul>\n\n\n\n
Auditing and Accountability<\/h3>\n\n\n\n
\n
- Implement audit and accountability controls to monitor and track system activity. Protect the integrity of those logs and limit access to unauthorized parties.<\/li>\n\n\n\n
- Collect, analyze, and retain audit logs per your retention requirements. NIST specifies a minimum 3-year period, per FISMA\u2019s guidelines.<\/li>\n<\/ul>\n\n\n\n\n