How Many Security Controls Family Are in Rmf

The NIST 800-53 standard offers solid guidance for how organizations should select and maintain customized security and privacy controls for their information systems. NIST SP 800-53 Revision v is one of many compliance documents you demand to familiarize yourself with if y'all are working with information technology.

This post breaks it downwards for you into digestible pieces that emphasize the standard's practical meaning and application.

What is NIST 800-53?

NIST 800-53 is a security compliance standard created by the U.S. Department of Commerce and the National Establish of Standards in Technology in response to the rapidly developing technological capabilities of national adversaries. It compiles controls recommended by the Information technology Laboratory (ITL).

NIST 800-53 is mandatory for all U.Due south. federal information systems except those related to national security, and is technology-neutral. However, its guidelines can be adopted by any organization operating an information system with sensitive or regulated data. It provides a catalog of privacy and security controls for protecting against a diverseness of threats, from natural disasters to hostile attacks.

The standard has evolved to integrate privacy and security controls and to promote integration with other cybersecurity and chance management approaches. In particular, it fits into the scope of the Federal Data Processing Standards (FIPS); FIPS requires that organizations implement a minimum baseline of security controls as divers in NIST 800-53. The NIST standard too helps organizations comply with the Federal Information Security Modernization Human activity (FISMA), which details security and privacy guidelines every bit function of administering federal programs.

Every bit information infrastructure continues to expand and integrate, the need to build privacy and security into every application grows too, regardless of whether it is a federal or private system. With the comprehensive set of controls and guidelines in NIST 800-53, private organizations do not need to re-invent the wheel to maintain cybersecurity.

What is the goal of NIST 800-53?

The goal of the security and privacy standard is threefold:

• To provide a comprehensive and flexible catalog of controls for current and future protection based on changing engineering science and threats
• To develop a foundation for assessing techniques and processes for determining control effectiveness
• To improve communication across organizations via a common lexicon for word of take a chance direction concepts

The controls established by NIST Special Publication (SP) 800-53 are designed to improve take chances management for any organisation or organization that processes, stores or transmits information.

Who must comply with NIST 800-53?

The standard is mandatory for federal data systems, organizations and agencies. Whatsoever arrangement that works with the federal regime is likewise required to comply with NIST 800-53 to maintain the relationship.

Yet, the standard provides a solid framework for whatever organization to develop, maintain and improve their data security practices, including state, local and tribal governments and private companies, from SMBs to enterprises.

What are the benefits of NIST 800-53?

The most significant benefit of the standard is more secure information systems. Private organizations voluntarily comply with NIST 800-53 because its eighteen control families assist them meet the challenge of selecting the appropriate basic security controls, policies and procedures to protect information security and privacy.

In add-on, it encourages you to analyze each security and privacy control you lot select to ensure its applicability to your infrastructure and surroundings. This customization process helps ensure non just security and compliance, but concern success. It promotes consistent, cost-effective application of controls across your it infrastructure.

Finally, following NIST 800-53 guidelines helps y'all build a solid foundation for compliance with other regulations and programs similar HIPAA, DFARS, PCI DSS and GDPR.

What data does NIST SP 800-53 protect?

While the standard does non provide a list of specific information types, it does offer recommendations for classifying the types of data your organization creates, stores and transmits. For example, ane classification might exist "protected"; this data could include customer names, nativity dates and Social Security numbers.

NIST 800-53 Security Controls

NIST 800-53 offers a catalog of security and privacy controls and guidance for pick. Each organization should choose controls based on the protection requirements of its various content types. This requires a careful risk assessment and assay of the touch on of incidents on different data and information systems. FIPS 199 defines iii touch on levels:

• Depression — Loss would have express adverse impact.
• Moderate — Loss would take a serious adverse impact.
• Loftier — Loss would have a catastrophic impact.

Security and Command Families

NIST 800-53 controls are allocated into the following 20 families:

ID	Family Name	Examples of Controls
AC	Access Control	Account direction and monitoring; to the lowest degree privilege; separation of duties
AT	Awareness and Preparation	User preparation on security threats; technical training for privileged users
AU	Inspect and Accountability	Content of audit records; assay and reporting; record retentivity
CA	Assessment, Say-so, and Monitoring	Connections to public networks and external systems; penetration testing
CM	Configuration Management	Authorized software policies, configuration change control
CP	Contingency Planning	Alternate processing and storage sites; concern continuity strategies; testing
IA	Identification and Authentication	Authentication policies for users, devices and services; credential management
IP	Private Participation	Consent and privacy authority
IR	Incident Response	Incident response training, monitoring and reporting
MA	Maintenance	System, personnel and tool maintenance
MP	Media Protection	Access, storage, transport, sanitization, and use of media
PA	Privacy Potency	Drove, use and sharing of personally identifiable information (PII)
PE	Physical and Environment Protection	Physical admission; emergency power; burn down protection; temperature control
PL	Planning	Social media and networking restrictions; defense-in-depth security architecture
PM	Plan Direction	Risk management strategy; insider threat program; enterprise architecture
PS	Personnel Security	Personnel screening, termination and transfer; external personnel; sanctions
RA	Chance Assessment	Risk assessment; vulnerability scanning; privacy affect assessment
SA	System and Services Conquering	Arrangement evolution lifecycle; acquisition process; supply chain risk management
SC	System and Communications Protection	Application sectionalisation; boundary protection; cryptographic cardinal direction
SI	System and Information Integrity	Flaw remediation; system monitoring and alerting

Tips for NIST 800-53 Compliance

The following best practices will help you lot select and implement appropriate security and privacy controls for NIST SP 800-53 compliance.

• Identify your sensitive data. Find out what kind of data your organization deals with, where it is stored, and how information technology is received, maintained and transmitted. Sensitive data can be spread across multiple systems and applications; it is non necessarily only where you think it is.
• Allocate sensitive data. Categorize and label your information according to its value and sensitivity. Assign each information type an bear upon value (low, moderate or high) for each security objective (confidentiality, integrity and availability), and categorize information technology at the highest impact level. Consult FIPS 199 for appropriate security categories and impact levels that relate to your organizational goals, mission and business concern success. Automate discovery and classification to streamline the process and ensure consistent, reliable results.
• Evaluate your current level of cybersecurity with a risk assessment. At a high level, risk assessment involves identifying risks, assessing the probability of their occurrence and their potential impact, taking steps to remediate the most serious risks, and then assessing the effectiveness of those steps.
• Document a plan to ameliorate your policies and procedures. Select controls based on your specific business needs. The extent and rigor of the selection procedure should be proportional to the impact level of the risk being mitigated. Document your program and the rationale for each chose of control and policy.
• Provide ongoing employee training. Educate all employees on admission governance and cybersecurity best practices, such as how to identify and written report malware.
• Make compliance an ongoing procedure. One time you accept brought your system into compliance with NIST 800-53, maintain and improve your compliance with regular organisation audits, especially after a security incident.

Conclusion

All federal agencies and organizations must comply with NIST 800-53, and if you deal with them, you lot volition need to be in compliance too. Compliance is not a requirement for organizations that do not do concern with the federal regime, merely meeting the standard will assistance you constitute a strong foundation for compliance with a broad range of other regulations, such as HIPAA and GDPR, and then you lot won't need to re-invent the wheel each time.

FAQ

1. What is the NIST 800 series?

The NIST 800 series is a ready of documents that describe United States federal government policies, procedures and guidelines for information arrangement security.

2. What is NIST 800-53?

NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.South. federal data systems except those related to national security. Information technology defines the minimum baseline of security controls required by the Federal Information Processing Standard (FIPS).

3. What is the purpose of NIST 800-53?

NIST 800-53 helps organizations of all types properly builder and manage their data security systems and comply with the Federal Information Security Modernization Act (FISMA). It offers an all-encompassing catalog of controls to strengthen security and privacy.

4. How many controls are outlined in NIST 800-53?

NIST 800-53 has xx families of controls comprised of over one,000 divide controls. Each family is related to a specific topic, such as access control.

5. What is the current version of NIST 800-53?

NIST 800-53 Revision 5 was published in September 2020.

6. Who must comply with NIST 800-53?

NIST 800-53 is mandatory only for federal information systems beyond all agencies and organizations. Yet, the guidelines are very useful for state, local and tribal governments and private companies besides.

Sometime VP of Customer Success at Netwrix. He has a various background built over 20 years in the software industry, having held CEO, COO, and VP Product Management titles at multiple companies focused on security, compliance, and increasing the productivity of It teams.

carsoncousitony.blogspot.com

Source: https://blog.netwrix.com/2021/03/03/nist-800-53/

Share this post