The National Institute for Standards and Technology (NIST) Special Publication SP 800-53, Security and Privacy Controls for Information Systems and Organizations, is a fundamental framework for federal cybersecurity compliance. It establishes recommended security controls to protect federal information systems, ensuring resilience against evolving cyber threats.

As the de facto standard for compliance with the Federal Information Security Management Act (FISMA), SP 800-53 applies directly to most federal agencies (excluding national security agencies) and indirectly to non-federal organizations via SP 800-171. In this article, we’ll outline key aspects of SP 800-53 and what organizations need to consider for compliance.

Establishing Security Controls

To maintain security, any IT system must observe basic security controls to prevent threat incidents and establish proper responses. On an ongoing basis, NIST compiles and documents controls recommended to it by research groups and joint task forces comprised of members from the Department of Defense, Office of National Intelligence, and industry leaders from third-party contractors.

SP 800-53 is very useful as reference material for designing security plans, and its controls are used as a basis for other special publications/regulations. However, to actually protect an organization it must be implemented according to a Risk Management Framework (RMF).

The NIST RMF

SP 800-53 contains outlines for a standardized RMF. For this purpose, it is commonly used in conjunction with SP 800-37 Risk Management Framework for Federal Information Systems and Organizations:  A System Life Cycle Approach for Security and Privacy which details the formal certification and accreditation process.

The NIST RMF guides organizations through a comprehensive risk management and response plan in seven (7) stages:

1. Prepare – prepare all levels of your organization to manage its security and privacy risks
2. Categorize – determine the category of information systems based on type of information processed and threat impact
3. Select – select baseline security controls to mitigate risk
4. Implement – implement and describe how the security controls have been deployed
5. Assess – assess performance, correct implementation, and outcome of the security controls
6. Authorize – authorize operation of the system based on its overall risk to an organization, its assets, mission, and personnel
7. Monitor – monitor security controls on a regular basis and record performance, reporting concerns to appropriate organizational officials when necessary

Due to its methodological rigor, the NIST RMF gives organizations a high degree of precision in determining risk, mitigating threats, and maintaining accountability before regulatory bodies.

Who Does SP 800-53 Apply To?

SP 800-53 directly applies only to federal agencies. However, the publication is used as the basis for many other programs and should be referred to by anyone to whom they apply. This includes:

• Cloud Service Providers (CSPs) authorized under a FedRAMP program are required to use SP 800-53 controls to secure their services and facilities
• State agencies and contractors partnered with the federal government who need to comply with FISMA requirements are required to meet SP 800-53 requirements.
• Defense Federal Acquisition Regulations (DFARS) – while SP 800-171 initially imported security controls from SP 800-53, the controls have since been adjusted to better protect Controlled Unclassified Information (CUI) specifically. Nevertheless, SP 800-53 is recommended as a useful reference for non-federal businesses required to comply with DFARS, and is being used more often as a reference for non-Federal security programs, such as to form a baseline for protection of Industrial Control Systems (ICS) in some industries.

In general, it is safe to assume that as an organization conducting any business with the U.S. government, SP 800-53 or some portion of it will apply to information systems used during the contract.

What to Know About Rev. 5

Because SP 800-53 applies to all U.S. agencies and government partners, it goes without saying that compliance is mandatory, and systems should be updated to reflect new revisions as soon as they are released.

Revision 5 brings a revised emphasis on privacy, expanded security controls and changes to control categories. New controls have been implemented that are outcome-based as opposed to impact-based. Privacy controls have been integrated into existing security controls for better integration into the risk management process, and new controls have been developed based on the latest threat intelligence. Two of the major changes seen in this version of SP 800-53 (Rev. 5) include:

• Two (2) new sets of controls called control families have been added:
  • Supply Chain Risk Management (SR) – these 12 additional controls focus on vendors and third-party providers of services and products and have applicability to low, moderate, and high baseline systems.
  • Personally Identifiable Information (PII) Processing and Transparency (PT) – these controls are considered overlay controls applicable only to those systems that process, store, access, or otherwise handle PII data. These controls have not been included in any low, moderate, or high baselines but can be chosen as needed.
• A total of 90 controls have been withdrawn from the prior version (Rev. 4) and either removed completely or incorporated into other existing controls.

The latest version of NIST SP 800-53 can be found here.