NIST 800-53 Rev. 5: What it Is, and Why You Should Care

Posted on
NIST, security and privacy controls
NIST, security and privacy controls

Later this year, the National Institute for Standards and Technology (NIST) will release revision #5 to Special Publication SP 800-53 Security and Privacy Controls for Information Systems and Organizations, a key framework documenting recommended security controls for federal information systems. Soon, government agencies, contractors and FedRAMP certified vendors will be rushing to update their systems before the guidelines go into effect.

As the de facto standard for compliance with the Federal Information Security Management Act (FISMA), SP 800-53 directly applies to any federal organization (aside from national security agencies), and indirectly to non-federal organizations via SP 800-171. In this article, we’ll summarize the contents and newest revisions.

Establishing Security Controls

To maintain security, any IT system must observe basic security controls to prevent threat incidents and establish proper responses. On an ongoing basis, NIST compiles and documents controls recommended to it by research groups including the Information Technology Laboratory (ITL).

The most recent edition (Rev. 4) of SP 800-53 includes 212 controls distributed across 18 control families designated by acronyms, such as “AC” for “Access Control,” “IR” for “Incident Response” and “CM” for “Configuration Management”. Controls are ranked according to three (3) tiers of impact ranging from “low” to “moderate” to “high,” and fall into three types:

  • Common – used throughout an organization
  • Custom – specific to an application or device
  • Hybrid – standard control customized by an organization

SP 800-53 is very useful as reference material for designing security plans, and its controls are used as a basis for other special publications/regulations. However, to actually protect an organization it must be implemented according to a Risk Management Framework (RMF).

The NIST RMF

SP 800-53 contains outlines for a standardized Risk Management Framework. For this purpose, it is commonly used in conjunction with SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems:  A System Life Cycle Approach for Security and Privacy which details the formal certification and accreditation process.

The NIST RMF guides organizations through a comprehensive risk management and response plan in six (6) stages:

  1. Categorize – determine the category of information systems based on type of information processed and threat impact
  2. Select – select baseline security controls to mitigate risk
  3. Implement – implement and describe how the security controls have been deployed
  4. Assess – assess performance, correct implementation, and outcome of the security controls
  5. Authorize – authorize operation of the system based on its overall risk to an organization, its assets, mission, and personnel
  6. Monitor – monitor security controls on a regular basis and record performance, reporting concerns to appropriate organizational officials when necessary

Due to its methodological rigor, the NIST RMF gives organizations a high degree of precision in determining risk, mitigating threats, and maintaining accountability before regulatory bodies.

Who Does SP 800-53 Apply To?

SP 800-53 directly applies only to federal agencies. However, the publication is used as the basis for many other programs and should be referred to by anyone to whom they apply. This includes:

  • – Cloud Service Providers (CSPs) authorized under a FedRAMP program are required to use SP 800-53 controls to secure their services and facilities
  • – since SP 800-53 is used as the basis for FISMA[BS1], state agencies and any contractors partnered with the federal government will also have to comply
  • Defense Federal Acquisition Regulations (DFARS) – while  SP 800-171[BS2]  initially imported security controls from SP 800-53, the controls have since been adjusted to better protect controlled unclassified information (CUI) specifically. Nevertheless, SP 800-53 is recommended as a useful reference for non-federal businesses required to comply with DFARS, and is more and more being used as a reference for non-Federal security programs, such as to form a baseline for protection of Industrial Control Systems (ICS) in some industries.

In general, it is safe to assume that as an organization conducting any business with the U.S government, SP 800-53 or some portion of it will apply to information systems used during the contract.

Changes in Revision 5

Because SP 800-53 applies to all U.S. agencies and government partners, it goes without saying that compliance is mandatory, and systems should be updated to reflect new revisions as soon as they are released.

Revision 5, to be released later this year, brings with it a new emphasis on privacy, expanded security controls and changes to control categories:

  • Outcome-based (as opposed to impact-based) controls
  • New emphasis on privacy: integration of privacy controls with security controls, and better integration with cybersecurity/risk management
  • Separation of control selection from actual controls
  • New controls based on threat intelligence

Revision 5 will go into effect in 2020, a year from the date of its official release. In the meanwhile, preparing to comply will help your organization to be ready. To learn more about the latest version of SP 800-53, view the draft on NIST’s website.

Securicon Can Help

To become NIST 800-53 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

NIST 800-171: What it Is, and Why You Should Care

Posted on

Since 2017, any federal contractor working in association with the Department of Defense (DoD) is required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171Protecting Unclassified Information in Nonfederal Information Systems and Organizations.

While the deadline for compliance is long overdue for any contractor working with the DoD prior to 2017, new businesses may find the many requirements of SP 800-171 confusing. In this article, we’ll give you the rundown on this important regulation, and why compliance is essential for any federal partner.

Supplement to the FAR Rules

Federal Acquisition Regulation (FAR) rules were created to keep agencies accountable when procuring services or resources with government dollars. FAR covers everything from the terms of business relationships to “basic security controls” for government contractors, and violating these rules is a serious offense.

Until three years ago, FAR was lagging behind new technology in terms of security controls. With a new cybersecurity clause added in 2016, NIST SP 800-171 was created as a supplemental regulation, with the official title ‘Defense Federal Acquisition Regulation Supplement (DFARS), which now serves as the contractor’s standard for protecting digital assets.

Protecting Controlled Unclassified Information (CUI)

With a narrower focus than its parent regulation, DFARS outlines strict rules for systems that handle sensitive information and data not meriting a “classified” designation. So-called controlled unclassified information (CUI) is broad in scope, encompassing almost any data – scientific, financial, or operational – exchanged in the course of a government contract.

In practice, this means that DFARS will apply to almost any non-federal organization working with the DoD in any context, unless otherwise specified, requiring them to implement a strict System Security Plan (SSP) for all systems handling CUI in the course of contract work.

An SSP devised under DFARS will have to meet requirements ranging from security controls to incident response and physical protection. Importantly, organizations will be expected to:

  • Implement rigorous access controls – system access will require suitably strong authentication along with role-based permissions to block unauthorized users.
  • Conduct risk and security assessments – organizations are required to undergo periodic risk and security assessments to determine and remediate areas of weakness.
  • Train personnel for compliance – an organization will be held responsible for training its own personnel and anyone using its systems to observe security protocol and prevent risk.
  • Undergo audits and submit reports – the DoD is serious about DFARS compliance. Organizations will have to undergo audits and submit detailed reports on their activities, systems and SSPs. Violations can result in fines or prosecutions.

Scope of Systems

Under DFARS, any system involved in the transmission or storage of CUI must be protected. This includes:

  • Email systems
  • FTP
  • Content management platforms (CMPs)
  • Cloud-based storage
  • Project collaboration tools; and much more.

To comply with NIST SP 800-171, contractors must take inventory of any and all systems within their organization through which CUI will pass even once.

Understanding the Importance of DFARS

At first glance, the level of effort required to comply with DFARS may seem excessive. But today, it’s more important than ever for federal contractors to understand the value of information.

Under the International Traffic in Arms Regulations (ITAR), CUI is carefully regulated alongside military technology, arms and services exported to foreign nations. There’s a good reason for this; in the past decade, the U.S. has come under a slurry of cyberattacks from around the world targeting critical infrastructure and federal IT.

The world’s best hackers are strategic and know how to use seemingly benign resources to compromise systems and access further intelligence that can be used to subvert national security. Compliance with DFARS is one way to ensure that no cracks open in the public sector leaving critical assets vulnerable.

Securicon Can Help

To become NIST SP 800-171 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!