Delinea | Privileged Access Management Blog

NIST 800-53, Privileged Access Management & Least Privilege

Written by Tony Goulding | Aug 22, 2023 12:00:00 PM

The National Institute of Standards and Technology (NIST) Joint Task Force developed NIST 800-53 to provide standards and best practices for protecting the U.S. government’s sensitive information and individuals’ personal information from cyberattacks.

What is NIST 800-53?

NIST Special Publication 800-53 is a set of recommended cybersecurity and privacy controls for Federal information systems to help meet Federal Information Security Management Act (FISMA) requirements. FISMA establishes the legal framework for information security within Federal agencies. To achieve compliance with FISMA, NIST SP 800-53 provides guidelines that Federal agencies must follow.

Federal entities and contractors are subject to annual FISMA compliance audits. Non-compliance could lead to penalties, the loss of an ATO (Authority to Operate), and the potential to lose follow-on or incumbent contracts.

While those outside of the Federal government don’t need to comply with FISMA or meet NIST 800-53 guidelines (unless they seek government contracts), organizations of all types rely on NIST guidance to prioritize their cybersecurity roadmap and investments in cybersecurity solutions.

In this blog, you’ll learn the foundational cybersecurity requirements covered in NIST 800-53. You’ll get answers to commonly asked questions regarding NIST 800-53. And you’ll see how you can meet a core standard highlighted within NIST 800-53—least privilege access—using Privileged Access Management.

What’s the latest version of NIST 800-53 guidelines?

The most recent version of NIST 800-53 is Revision 5. As the first update in seven years, it's a significant step forward, providing cybersecurity guidance on the framework’s next generation. The difference between the latest revision and the previous version of NIST 800-53 is considerable. Rev 5 adds three new control families bringing the total to 20, 66 new base controls, 202 new control enhancements, and 131 new parameters to existing controls.

The major updates in Revision 5, the latest version of NIST 800-53 include:

  • Making the security and privacy controls more outcome-based. The previous Version 4 was organization-based, framing controls by responsibility and focusing on broader and longer-term effects on the organization. It attempted to prescribe a specific mechanism or entity for satisfying the controls. Revision 5 shifts towards "control objectives," describing the outcome of the control and focusing on measuring and evaluating results.

    For example, Privileged Access Management with Multi-Factor Authentication (MFA) for user accounts reduces unauthorized access. The outcome measured would be the reduction in successful unauthorized login attempts.

  • Fully integrating privacy controls into the security control catalog. Revision 5 creates a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls.

  • Separating the control selection process from the actual controls. By separating these two stages, organizations can ensure that their security controls, such as Privileged Access Management, MFA, and others, are tailored to their needs. Revision 5 allows for a more flexible and risk-based approach to security, enabling organizations to focus on controls that significantly impact their security posture and align with their unique risk appetite and business goals.

    Additionally, this approach facilitates periodic reviews and updates of security controls to adapt to evolving threats and changes in the organization's environment. This adaptation occurs without going through the entire control selection process again. It promotes agility and responsiveness in maintaining an effective cybersecurity posture.

In Revision 5, significant guidance and other informative material previously contained in NIST 800-53 was eliminated or moved. For example, the NIST transferred control baselines and tailoring guidance to a companion document, NIST SP 800-53B. These baselines provide predefined security controls tailored to system impact levels (low-, moderate-, and high-impact.)


NIST CSF risk framework for meeting NIST 800-53 guidelines

Executive Order (EO) 13800 requires U.S. Federal agencies to manage risk using the NIST Cyber Security Framework (CSF.) The CSF enables discussion about the various types of risk that might occur within Federal organizations. It promotes conversations about determining the likelihood and potential consequences of risk events.

NIST CSF provides a risk assessment framework to help you track your cybersecurity controls, such as least privilege and access management, and identify any gaps that could increase your risk posture. A NIST CSF assessment can help you rank your risks according to severity to prioritize your cybersecurity roadmap.

Before the latest revision of NIST 800-53, you might have used NIST SP 800-37 (for Federal systems) and NIST 800-39 (as a broad framework for all organizations) as risk management frameworks. The good news is that you don’t have to lose completed work. You can use NIST CSF with these and other frameworks.

What does NIST say about least privilege?

The Principle of Least Privilege is a fundamental cybersecurity concept in many NIST publications, including NIST 800-53. It ensures people have only the rights and permissions required to perform their roles and responsibilities to prevent unauthorized access, accidental damage from user errors, and malicious actions.

The Least Privilege Principle doesn’t apply solely to IT users. It extends to software and machine identities, ensuring applications, service accounts, APIs, and automated processes have the minimum necessary privileges.

With the Principle of Least Privilege, you:

  • Grant users the minimum level of access necessary for their job functions.
  • Restrict access to sensitive information and critical systems.
  • Segregate duties to maintain checks and balances.
  • Regularly review and update access privileges.

Adhering to the Principle of Least Privilege enhances overall security by reducing your attack surface.

NIST 800-53 addresses least privilege within the "Access Control" family of controls, including:

  1. AC-2 (Account Management): This control focuses on managing and controlling the creation, activation, modification, and termination of user accounts. It ensures that access rights and privileges are assigned based on the Principle of Least Privilege.

  2. AC-3 (Access Enforcement): This control focuses on enforcing access restrictions based on the Principles of Least Privilege and need-to-know. It ensures that access controls are actively applied and enforced to protect sensitive information and critical systems.

  3. AC-5 (Separation of Duties): This control promotes the segregation of duties by ensuring that no individual has sole control over critical activities. It prevents conflicts of interest and supports the Principle of Least Privilege by distributing responsibilities among multiple individuals.

  4. AC-6 (Least Privilege): This control explicitly addresses the Principle of Least Privilege. It requires organizations to grant users and processes only the rights necessary to accomplish their assigned tasks and responsibilities. Excessive or unnecessary privileges should be avoided.

How does PAM help meet NIST 800-53 requirements?

We’ve touched on the importance of Privileged Access Management for meeting NIST requirements, including least privilege. Next, we’ll get specific, so you can see how your PAM controls align with the guidelines and risk management framework so that you can incorporate them into your cybersecurity practices.

PAM focuses on managing and controlling access to privileged accounts, permissions, workstations, and servers

With PAM, the least privilege access controls described in NIST 800-53 are defined centrally and managed consistently at scale through automation. A core aspect of a least privilege methodology, PAM focuses on managing and controlling access to privileged accounts, permissions, workstations, and servers, to reduce the risk of unauthorized access, misuse, or abuse. In addition, PAM gives you the visibility and oversight to assess whether NIST-defined access policies are being followed and access controls are working as expected.

PAM solutions include an enterprise password vault as a secure repository for storing and managing privileged account credentials, such as a local administrator or root account password. The vault ensures sensitive credentials are protected, encrypted, and accessible only to authorized individuals on a need-to-know basis. It also rotates passwords on a scheduled basis and according to complexity rules to ensure high entropy and reduce the window of opportunity for cyber attackers.

Another critical aspect of PAM, in terms of meeting NIST requirements, is protecting unsanctioned access to workstations and servers. This involves software mechanisms at the operating system level that control and enforce login and privilege elevation policies.

With PAM, users don’t have standing, blanket privileges that always allow unlimited access to all systems. Instead, you can provide limited privileges for standard behavior and allow users to temporarily elevate their privileges to perform administrative tasks only when necessary.

Again, least privilege and PAM are essential NIST 800-53 components. Without them, any assessment you conduct to map to the NIST CSF framework will show significant gaps in your coverage and increase your risk scores.

What’s the difference between NIST 800-53 and ISO?

You may wonder: If I meet NIST 800-53 requirements, do I also meet ISO? Do I need to meet both?

While NIST 800-53 can help you achieve ISO 27001 compliance, it does not automatically mean you also meet ISO 27001. NIST 800-53 primarily targets U.S. Federal agencies and their contractors. ISO 27001 is an international standard providing a broader and more generic framework than NIST 800-53.

It requires additional efforts for requirements beyond technical controls, including organizational context, leadership commitment, risk assessment and treatment, dochttps://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/final/documents/sp800-53r5-to-iso-27001-mapping.docxumentation, training, internal audits, and continual improvement processes.

The good news is that meeting NIST 800-53 and using the NIST CSF framework provides a strong foundation for information security best practices. Focusing on NIST can help you meet the requirement of many other cybersecurity frameworks, including industry-specific compliance regulations.

Several NIST 800-53 security controls are aligned with the ISO/IEC 27001 Controls, as in the chart below. Note the number of security controls that reference least privilege and access control.

TABLE 1: MAPPING NIST SP 800-53, REVISION 5 TO ISO/IEC 27001:2022

NIST SP 800-53, REVISION 5 CONTROLS  ISO/IEC 27001:2022 REQUIREMENTS AND CONTROLS
Note: An asterisk (*) indicates that the ISO/IEC control does not fully satisfy the intent of the NIST control.
AC-1 Access Control Policy and Procedures 5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.15, A.5.31, A.5.36, A.5.37
AC-2 Account Management     A.5.16, A.5.18, A.8.2
AC-3 Access Enforcement A.5.15, A.5.33*, A.8.3, A.8.4*, A.8.18, A.8.20, A.8.26
AC-4 Information Flow Enforcement A.5.14, A.8.22, A.8.23
AC-5 Separation of Duties A.5.3
AC-6 Least Privilege     A.5.15*, A.8.2, A.8.18
AC-7 Unsuccessful Logon Attempts A.8.5*
AC-8 System Use Notification A.8.5*
AC-9 Previous Logon Notification A.8.5*
AC-10 Concurrent Session Control None
AC-11 Device Lock A.7.7, A.8.1
AC-12 Session Termination     None
AC-13 Withdrawn ----
AC-14 Permitted Actions without Identification or Authentication None
AC-15 Withdrawn ----
AC-16 Security and Privacy Attributes                           None
AC-17 Remote Access A.5.14, A.6.7, A.8.1, 
AC-18 Wireless Access A.5.14, A.8.1, A.8.20
AC-19 Access Control for Mobile Devices A.5.14, A.7.9, A.8.1
AC-20 Use of External Systems A.5.14, A.7.9, A.8.20
AC-21 Information Sharing None
AC-22 Publicly Accessible Content None
AC-23 Data Mining Protection None
AC-24 Access Control Decisions A.8.3*
AC-25 Reference Monitor None
AT-1 Awareness and Training Policy and Procedures 5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37
AT-2 Literacy Training and Awareness 7.3, A.6.3, A.8.7*
AT-3 Role-Based Training A.6.3*
AT-4 Training Records None
AT-5 Withdrawn ----
AT-6 Training Feedback None
AU-1 Audit and Accountability Policy and Procedures 5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37
AU-2 Event Logging A.8.15
AU-3 Content of Audit Records A.8.15*
AU-4 Audit Log Storage Capacity A.8.6
AU-5 Response to Audit Logging Process Failures None
AU-6 Audit Record Review, Analysis, and Reporting A.5.25, A.6.8, A.8.15

More NIST publications you need to know

NIST 800-53 is just one of many publications developed by NIST to provide detailed information technology guidance, including other NIST Special Publications (SP), Federal Information Processing Standards (FIPS), NIST Internal Reports (NISTIR), and NIST Information Technology Laboratory (ITL) Bulletins.

Chances are, if you’re working on meeting NIST 800-53, you’ll also want to check out these additional publications.

You can access a complete list of NIST’s cybersecurity publications in the Computer Security Resource Center on NIST.gov.