NIST 800-53: Implementing Recommended Security Controls for Federal Information Systems and Organizations

One sure way to improve any organization’s information security is to adopt the National Institute of Standards and Technology’s security and privacy controls as outlined in its NIST special publication 800-53.

NIST 800-53 recommends policies and procedures for topics such as access control, business continuity, incident response, disaster recoverability and several more key areas, and is an ideal starting point for an InfoSec team who has a desire to improve their controls.

Real-world example:

In May 2017 a ransomware attack called “WannaCry” affected more than 300,000 computers according to White House homeland security adviser Tom Bossert. The malware installs malicious software that locks files on a computer then demands payment to unlock them. Even if the computer accesses the Internet via a proxy, WannaCry still executed. In a NIST 800-53 and NIST 800-171 certified operating environment, all systems would have already been patched to current and safe levels. The system components that this malware exploited would have been disabled when the system was set up, and the TCP/IP network ports that WannaCry used would have been blocked as a standard practice.

NIST 800-53 Revision 4 was motivated by the expanding threat and sophistication of cyber attacks and is the most comprehensive update since its initial publication in 2005. NIST 800-53 is the official security control list for the federal government, and it is a free resource for the private sector.

The publication itself states it well. “Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This “Build It Right” strategy is coupled with a variety of security controls for “Continuous Monitoring” to give organizations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.”

“Build it” right and “Continuous Monitoring.”

This is the mantra of SP 800-53 rev 4. When you build your information system correctly, and continuously monitor, you significantly reduce your organization’s risk to its information assets. Your goals are “trust” and “assurance.” Design your information systems to be trustworthy, then use sound assurance practices to test, monitor, and correct.

Information security is not easy. Just ask credit giant Equifax, a big company with a big IT department. Equifax had their information systems breached between May and July of this year with the personal information of over 143 million people affected. Building a trustworthy information system using NIST 800-53 is not easy. There are times it will send you to other NIST publications to complete before moving on to the next portion of 800-53. Patience is vital.NIST 800-53 uses a “Risk Management Framework” methodology which implements and continuously monitors the information system from a risk perspective. It goes through the following cycle:

NIST 800-53 Risk Management Framework

You can complete step one by completing a traditional risk assessment, especially when applying NIST 800-53 to an existing system. In Step 2, the selection of appropriate controls can be made with an extensive catalog of pre-defined security controls, chosen based on the category of the system.

The following table shows the controls that need to be met depending on if you are a “low,” “medium,” or “high” organization.

The last few steps are a matter of implementation, testing, and monitoring. We could go over pages of information related to these topics, however, let’s touch on a couple not so obvious but crucial components.

Senior management commitment is critical.

Senior executives need to be entirely on board from the beginning and the commitment reinforced along the way. Without this, all the great ideas for new security procedures and policies waste away on your hard drive.

Be sure you invite Senior management to meetings and briefings with your experts regularly. Send them drafts ahead of time so they can be prepared to engage fully. It is worth the extra effort to keep them actively involved.

You may not be able to do everything; do as much as you can.

NIST 800-53 exhaustively outlines how to establish security controls based on your organization’s risk assessment, and to have any effect, those controls must be implemented, but creating procedures for which you have an insufficient workforce and resources can cause more harm than merely consulting with a subject matter expert about what your priorities should be.

Looking forward

On August 15th, 2017 The NIST released the public draft of Special Publication 800-53 Revision 5 which was open for public comment between then and September 12th.

The revision still applies only to federal systems, but one of the stated objectives of the revision is for the cybersecurity and privacy standards and guidelines to be accessible to non-federal and private organizations for use on their systems should they choose.

In the announcement for the draft revision, the NIST states that this revision:

Responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Nist Releases The Initial Public Draft Of Special

This revision is also a step in implementing OMB Circular A-130, issued by the Obama administration in July 2016. It requires that all federal agencies adopt a risk-based approach when managing information and networks. The Circular includes an appendix each on data security and on privacy protections which guides federal agencies on how to manage information resources and personally identifiable information (“PII”).  NIST SP 800-53 revision 5 is responsive to the requirements of the Circular, which includes integrating the Circular’s privacy requirements to associated controls within the publication.

Rich Banta

Rich Banta

Managing Member at Lifeline Data Centers
Rich is responsible for Compliance and Certifications, Data Center Operations, Information Technology, and Client Concierge Services. Rich has an extensive background in server and network management, large scale wide-area networks, storage, business continuity, and monitoring. Rich is a former CTO of a major health care system. Rich is hands-on every day in the data centers. He also holds many certifications, including: CISA – Certified Information Systems Auditor CRISC – Certified in Risk & Information Systems Management CDCE – Certified Data Center Expert CDCDP – Certified Data Center Design Professional