NIST 800-53 Compliance

A highly secure and prescriptive control set that can ensure a high level of protection for any organization

What is the NIST Special Publication 800-53?

nistThe National Institute of Standards and Technology (NIST) – a non-regulatory part of the US Department of Commerce – constructed a set of standards for all federal agencies to follow.  NIST Special Publication 800-53 is the standard which covers security and privacy controls.

The controls set in place by NIST 800-53 are applicable to all federal data, excluding data that concerns national security and is considered sensitive information. All federal agencies have a legal duty to follow the guidelines set out by NIST 800-53, but the controls can be applied to any environment to ensure a proper level of data protection. 

NIST 800-53 Controls

While the controls can be divided into different categories, the overarching goal of the standard is to ensure information systems are secure and not vulnerable to cyber attacks.

The controls are separated into three main groups: low, medium, and high impact, and are further broken down into families:

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Risk Assessment
  • Security Assessment and Authorization
  • System and Communications Protection
  • System and Information Integrity
  • System and Services Acquisition

Contact Us to Learn More about NIST Control Implementation:

Advantages of Complying with NIST 800-53

Complying with the NIST 800-53 guidelines is beneficial, especially for those who must maintain FISMA compliance, but also legally required for all federal agencies. External contractors and organizations who have access to federal data may not be legally required to maintain NIST 800-53 compliance, but they are highly encouraged to do so. The NIST 800-53 controls are recommendations that, in fact, can help agencies and teams ensure the security of their information systems. 

These guidelines only serve to protect and safeguard data against attacks, which is an outcome all parties should be actively preventing. However, everyone should ensure that the NIST 800-53 controls are not the only security mechanisms in place. Additional controls are required in almost all cases as each organization or agency has its own unique vulnerabilities and security requirements.

Cyber Defense Group

Cyber Defense Group specializes in Incident Response and Security Engineering, enabling agile businesses to operate at speed. We protect our clients from cyber criminals, and we create robust security programs which can withstand current and future threats.

Security Compliance Types

ISO27001

ISO27001 is an international standard for information security, published by the International Organization for Standardization. Organizations that meet ISO27001 criteria can be certified against the standard to demonstrate their ongoing commitment to data protection and information security.

SOC2

SOC2 was developed by the AICPA for managing customer data based on “trust service principles”. SOC2 is primarily used for companies operating within the United States.

DFARS/CMMC

CMMC is a standard for organizations in the United States which work with the Department of Defense (DoD). The CMMC covers the cybersecurity controls for Confidential Unclassified Information (CUI).

NIST 800-53

In order to prevent mass variance, the National Institute of Standards and Technology (NIST) – a non-regulatory part of the Department of Commerce – constructed a set of standards for all federal agencies to follow: the NIST Special Publication 800-53.

HIPAA

The Health Insurance Portability and Accountability Act is a US law enacted in1996 which governs the data protection and privacy of health records.

GDPR

The European General Data Protection Regulation is a data protection and privacy regulation for EU citizens. Any company operating within the EU borders must conform to this regulation.

CCPA

The California Consumer Protection Act is a California data protection and privacy law for residents of California. Most companies which hold information on California residents are subject to this regulation.

CIS 20

The CIS 20 is a list of 20 actions and practices an organization’s security team can take on such that cyberattacks, or threats, are minimized and prevented.