NIST Special Publication 800 53

NIST Special Publication 800 53

What Is NIST Special Publication 800 53?

NIST Special Publication 800 53, developed by the National Institute of Standards and Technology, provides Federal organizations with a dossier of security controls for the information systems under the purview of the concerned agency. This catalog is not applicable to information systems that are related to national security. The NIST developed the publication to further its statutory responsibilities under the Federal Information Security Management Act (FISMA).

 

The SP 800 53 leans upon the low, high, and moderate security control baselines to maintain consistency with Federal Information Processing Standards 199 and 200. The security control baselines provide a framework on which guidelines are developed on the basis of information sensitivity. NIST updates the SP 800 53 on a periodic basis to reflect the ever evolving threat from the technological landscape. The latest revision, SP 800 53 Rev 5, is supposed to be rolling out on March 28, 2017.

 

The purpose of SP 800 53

SP 800 53 is a part of the NIST’s wider SP 800 series that are developed in accordance with rigorous research conducted by the Information Technology Laboratory (ITL). Meeting the guidelines provided by the publication is a critical part of the accreditation and certification process for all federal information systems. In its most basic essence, SP 800 53 introduced and defined the concept of security control baselines. In addition. it is stressed that SP 800 53’s guidelines are not minimum guidelines. Rather it is an introductory framework on which more comprehensive and relevant control mechanisms may be devised.

 

The publication specifically covers the steps of a Risk Management Framework as defined by the NIST. The NIST Risk Management Framework defines a distinctive six-step approach to providing a comprehensive process. Moreover, it integrates the system development life cycle and information security risk management. On this tier, SP 800 53 falls under Step 2, and it specifically pertains to the selection of security control systems for federal information systems. NIST Special Publication 800 53 as well as other NIST SPs as defined by the NIST Risk Management Framework, require Federal agencies to meet certain standards in order to receive certification and accreditation on a yearly basis.

 

Risk management is the underlying goal of SP 800 53

The FIPS Publication 199 allows federal agencies and organizations involved in managing the information system processes of agencies to categorize the security of the information at their disposal. Then the agencies must determine the impact levels of their information systems in accordance with FIPS 200. It is only after this can a federal agency tailor their security controls in accordance with SP 800 53. The publication works in tandem with FIPS 199 and 200. This is to ensure that every federal information system is secure in the event of worst case scenarios. The publication allows organizations to customize the security control baselines based on the agency’s mission, requirements, and working environment.

 

Agencies must provide their answers to accreditation officers in terms of an effective risk management process. A good process appropriately identifies, mitigates, monitors, and responds to threats to their information systems. Furthermore, it must meet guidelines provided by SP 800 39.  This is in relation to managing information security risk at the organizational tier, the mission process tier, and the information system tier. The publication’s guidelines are applicable to all aspects of an information system that process, record, and/or transmit federal information. The publication seeks to provide a flexible, yet stable catalog of controls. They should protect current information and also meet the requirements of future information systems protection. In addition, it provides a common ground on which federal agencies can discuss and deal with risk management. The publication also seeks to improve inter-agency communication.