Everything You Need to Know About NIST 800-53

The National Institute of Standards and Technology (NIST) sets the recommended security guidelines and controls for Federal information systems and organizations. The main goal of NIST is to identify a risk-based approach to protecting systems vital to the operations and continuous service of the government and supporting organizations.

NIST has an extensive database of publications that includes the Federal Information Processing Standards (FIPS), NIST Special Publications (SP), NIST Internal Reports (NISTIR), and NIST Information Technology Laboratory (ITL) Bulletins. You can access a complete list of NIST’s security publications in the Computer Security Resource Center on the NIST.gov website.

NIST Essentials: SP 800-53 and SP 800-37

The NIST Joint Task Force developed NIST 800-53, the special publication for the Security and Privacy Controls for Information Systems and Organizations, to provide guidelines and best practices for protecting the government’s sensitive information and individuals’ personal information from cyber attacks.

In combination, NIST introduced the draft Special Publication known as the (SP) 800-37 Revision 2 to provide a risk management framework for data privacy. This publication helps identify a risk-based approach for using and storing Personally Identifiable Information (PII). It includes information on how to improve privacy controls for diverse groups, including public and private sector organizations and individuals.

You can download the NIST 800-53 Revision 5 here.

NIST 800-53 is currently in Revision 5

The major updates in the latest version include:

• Making the security and privacy controls more outcome-based by changing the structure of the controls;
• Fully integrating the privacy controls into the security control catalog, creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
• Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest, including systems engineers, software developers, enterprise architects; and mission/business owners;
• Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cyber Security Framework;
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and accountability.

NIST Risk Management Framework

The NIST risk management framework establishes a multi-tiered approach based on the scope of risk.

Tier 1 – The organization

Tier 2 – Mission-critical or business-critical processes

Tier 3 – Information systems

NIST outlines a six-step process to reduce risk, known as the Security Life Cycle.

Step 1 – CATAGORIZE Information Systems (FIPS 199/SP 800-60)

Step 2 – SELECT Security Controls (FIPS 200/SP 800-53)

Step 3 – IMPLEMENT Security Controls (SP 800-160)

Step 4 – ASSESS Security Controls (SP 800-53A)

Step 5 – AUTHORIZE Information Systems (SP 800-37)

Step 6 – MONITOR Security Controls (SP 800-137)

Security and privacy controls are organized by family, per the model below.

The Security Control Identifiers are broken down into the respective controls and families:

Each control is categorized according to impact level.

• Low impact
• Moderate impact
• High impact

NIST Trust Model

NIST 800-53 can help you determine the trustworthiness of IT systems and components, based on their ability to meet security requirements, including capabilities and functionality, and provide evidence for security assurance.

This trust-based model is growing in importance. It’s about establishing your risk threshold and determining how well systems and components meet your requirements. You can use this trust model as a guide to determine the level of access IT systems should have.

Because all risks aren’t equal, NIST provides guidance (based on the input from the Initial Security Control Impact Baseline) which enables you to tailor the security controls you adapt to meet your definition of acceptable risk.

You should follow the steps below when tailoring trust guidelines:

• Identifying and designating common controls
• Applying scoping considerations
• Selecting compensating controls
• Assigning security control parameter values
• Supplementing baseline security controls
• Providing additional specification information for Implementation

During this customization process, you should agree upon and maintain documentation of all security control decisions to ensure adequate security and auditability.

NIST Special Publication (SP) 800-207, NIST Zero Trust Architecture (ZTA)

 In the modern enterprise, many users and assets aren’t located within an enterprise-owned network. Therefore, organizations must discard the old model of “trust but verify,” which relied on well-defined boundaries, and move toward a zero trust goal. 

 NIST Special Publication (SP) 800-207, Zero Trust Architecture, defines zero trust and ZTA. It sets forth general deployment models, use cases where ZTA could improve an enterprise’s overall IT security posture, and a high-level roadmap to implementing a ZTA approach. 

 According to NIST, “zero trust refers to an evolving set of security paradigms that narrows defenses from wide network perimeters to individual or small groups of resources.” A zero trust strategy focuses on protecting resources, rather than network segments.  

 In a Zero Trust Architecture: 

• All data sources and computing services are considered resources
• All communication is secured regardless of network location
• Access to individual enterprise resources is granted on a per-session basis
• Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes
• The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible
• All resource authentication and authorization are dynamic and strictly enforced before access is allowed 
• The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture  

NIST and ISO  

Several of the NIST 800-53 security controls are aligned with the ISO/IEC 27001 Controls, as in the chart below.

NIST and Privileged Accounts

Protecting privileged accounts is crucial to meeting NIST requirements. NIST 800-53 guidelines reference privileged accounts in multiple security control identifiers and families. Privileged access management is a major area of importance when implementing security controls, managing accounts, and auditing.

Within NIST’s framework, the main area under access controls recommends using a least privilege approach in conjunction with least functionality. Least privilege is considered a high-impact security control. It requires giving users and systems only the minimum access needed to fulfill their role or function.

NIST provides examples of least privilege access control, as you can see in the chart below.

A Privileged Access Management (PAM) solution helps organizations that want to apply the NIST 800-53 security controls become more resilient to cyber attacks. PAM protects the government’s sensitive information and individuals’ Personally Identifiable Information from abuse.

To help you understand how to protect your privileged accounts, Delinea has developed the Privileged Access Management Life Cycle, a method that follows a logical path from the basic steps to a comprehensive approach to protecting and securing privileged access.

Privileged Access Management Life Cycle

DEFINE:

Define and classify privileged accounts. Every organization is different, so map out which of your important business functions rely on data, systems, and access. One approach is to reuse a disaster recovery plan that typically classifies important systems and specifies which need to be recovered first. Be sure to align your privileged accounts to your business risk and operations. 

Develop IT security policies that explicitly cover privileged accounts. Many organizations lack acceptable use and responsibilities for privileged accounts. Treat privileged accounts separately from standard accounts by clearly defining a privileged account and detailing acceptable use policies. Gain a working understanding of which systems and users have privileged accounts, and when those accounts are used. 

DISCOVER:

Discover your privileged accounts. Use PAM software to automatically and continuously identify privileged accounts in order to curb privileged account sprawl, identify potential insider abuse, and reveal external threats. Continuous discovery helps ensure full, ongoing visibility of your privileged account landscape, which is crucial to combatting cybersecurity threats. 

MANAGE & PROTECT:

Protect your privileged account passwords. Proactively manage, monitor, and control privileged account access with password protection software. Your solution should automatically discover and store privileged accounts; schedule password rotation; audit, analyze, and manage individual privileged session activity; and monitor password accounts to quickly detect and respond to malicious activity. 

Limit IT admin access to systems. Develop a least privilege strategy so that privileges are only granted when required and approved. Enforce least privilege on workstations by keeping standard users configured to a standard user profile and automatically elevating their privileges to run only approved and trusted applications. For IT administrators’ privileged account use, you should control access and implement super user privilege management to prevent attackers from running malicious applications, remote access tools, and commands. Least privilege and application control solutions enable seamless elevation of trusted applications while minimizing the risk of running unauthorized applications.

MONITOR:

Monitor and record sessions for privileged account activity. Your PAM solution should be able to monitor and record privileged account activity. Privileged session monitoring will help enforce proper behavior. If a breach does occur, monitoring privileged account use also helps digital forensics identify the root cause and identify critical controls that can be improved to reduce your risk of future cybersecurity threats. 

DETECT ABNORMAL USAGE:

Track and alert on user behavior. Gaining insights into privileged account access and user behavior is a top priority. Ensuring visibility into the access and activity of your privileged accounts in real-time will help spot potential account compromise and user abuse. Behavioral analytics focuses on key data points to establish baselines, including privileged user activity, password access, similar user behavior, and time of access to identify and alert on unusual or abnormal activity. 

RESPOND TO INCIDENTS:

Prepare an incident response plan in case a privileged account is compromised. When an account is breached, simply changing privileged account passwords or disabling the privileged account are possible mitigation strategies, but these aren’t sufficient to reduce all risks. Cybercriminals can create their own privileged accounts. If a domain administrator account gets compromised, for example, you should assume that your entire Active Directory is vulnerable. That means restoring your entire Active Directory, so the attacker can’t easily return.

REVIEW AND AUDIT:

Audit and analyze privilege account activity. Continuously observing how privileged accounts are used through audits will help identify unusual behaviors that may indicate a breach or privileged account misuse. These automated reports also help track the cause of security incidents, as well as demonstrate compliance with policies and regulations. Auditing privileged accounts will also give you cybersecurity metrics that provide executives with vital information to make more informed business decisions.

Are you NIST-compliant? 

Federal entities and contractors that serve the federal government are subject to annual compliance audits. Noncompliance with NIST could lead to penalties or the loss of an ATO (Authority to Operate) and the potential to lose follow-on or incumbent contracts.