The National Institute of Standards and Technology (NIST) – a non-regulatory part of the US Department of Commerce – constructed a set of standards for all federal agencies to follow. NIST Special Publication 800-53 is the standard which covers security and privacy controls.
The controls set in place by NIST 800-53 are applicable to all federal data, excluding data that concerns national security and is considered sensitive information. All federal agencies have a legal duty to follow the guidelines set out by NIST 800-53 compliance, but the controls can be applied to any environment to ensure a proper level of data protection.
While the controls can be divided into different categories, the overarching goal of the standard is to ensure information systems are NIST 800-53 compliant, secure, and not vulnerable to cyber attacks.
The controls are separated into three main groups: low, medium, and high impact, and are further broken down into families:
Complying with the NIST 800-53 guidelines is beneficial, especially for those who must maintain FISMA compliance, but also legally required for all federal agencies. External contractors and organizations who have access to federal data may not be legally required to maintain NIST 800-53 compliance, but they are highly encouraged to do so. The NIST 800-53 controls are recommendations that, in fact, can help agencies and teams ensure the security of their information systems.
These guidelines only serve to protect and safeguard data against attacks, which is an outcome all parties should be actively preventing. However, everyone should ensure that the NIST 800-53 controls are not the only security mechanisms in place. Additional controls are required in almost all cases as each organization or agency has its own unique vulnerabilities and security requirements.