Information Security Control Frameworks

NIST Special Publication 800-53 (NIST SP 800-53): Security and Privacy Controls for Information Systems and Organizations

crceriskby
Leave a Comment on NIST Special Publication 800-53 (NIST SP 800-53): Security and Privacy Controls for Information Systems and Organizations

NIST Special Publication 800-53 (NIST SP 800-53) is a comprehensive set of guidelines for federal information systems and organizations to manage and secure their information systems. Here are some key points about NIST SP 800-53:

  1. Purpose: The guidelines provide a catalog of security and privacy controls to protect organizational operations, assets, individuals, other organizations, and the nation.
  2. Scope: It applies to all federal information systems other than those related to national security, which are governed by other policies.
  3. Structure: The document is organized into different families of controls, each addressing a specific area of security or privacy. These families include:
    • Access Control (AC)
    • Audit and Accountability (AU)
    • Awareness and Training (AT)
    • Configuration Management (CM)
    • Contingency Planning (CP)
    • Identification and Authentication (IA)
    • Incident Response (IR)
    • Maintenance (MA)
    • Media Protection (MP)
    • Physical and Environmental Protection (PE)
    • Planning (PL)
    • Personnel Security (PS)
    • Risk Assessment (RA)
    • System and Communications Protection (SC)
    • System and Information Integrity (SI)
    • Program Management (PM)

NIST SP 800-53 is organized into a comprehensive set of controls, grouped into families and classes that cover various aspects of security and privacy. Each family contains individual controls that specify requirements to mitigate risks in that area. Here’s a more detailed look:

Control Families

  1. Access Control (AC)
    • AC-1: Access Control Policy and Procedures
    • AC-2: Account Management
    • AC-3: Access Enforcement
    • AC-4: Information Flow Enforcement
    • AC-5: Separation of Duties
    • AC-6: Least Privilege
    • AC-7: Unsuccessful Logon Attempts
    • AC-8: System Use Notification
    • AC-9: Previous Logon (Access) Notification
    • AC-10: Concurrent Session Control
    • AC-11: Session Lock
    • AC-12: Session Termination
    • AC-13: Supervision and Review—Access Control
    • AC-14: Permitted Actions without Identification or Authentication
    • AC-15: Automated Marking
    • AC-16: Security Attributes
    • AC-17: Remote Access
    • AC-18: Wireless Access
    • AC-19: Access Control for Mobile Devices
    • AC-20: Use of External Information Systems
  2. Audit and Accountability (AU)
    • AU-1: Audit and Accountability Policy and Procedures
    • AU-2: Audit Events
    • AU-3: Content of Audit Records
    • AU-4: Audit Storage Capacity
    • AU-5: Response to Audit Processing Failures
    • AU-6: Audit Review, Analysis, and Reporting
    • AU-7: Audit Reduction and Report Generation
    • AU-8: Time Stamps
    • AU-9: Protection of Audit Information
    • AU-10: Non-repudiation
    • AU-11: Audit Record Retention
    • AU-12: Audit Generation
    • AU-13: Monitoring for Information Disclosure
    • AU-14: Session Audit
  3. Awareness and Training (AT)
    • AT-1: Security Awareness and Training Policy and Procedures
    • AT-2: Security Awareness Training
    • AT-3: Role-Based Security Training
    • AT-4: Security Training Records
  4. Configuration Management (CM)
    • CM-1: Configuration Management Policy and Procedures
    • CM-2: Baseline Configuration
    • CM-3: Configuration Change Control
    • CM-4: Security Impact Analysis
    • CM-5: Access Restrictions for Change
    • CM-6: Configuration Settings
    • CM-7: Least Functionality
    • CM-8: Information System Component Inventory
    • CM-9: Configuration Management Plan
    • CM-10: Software Usage Restrictions
    • CM-11: User-Installed Software
  5. Contingency Planning (CP)
    • CP-1: Contingency Planning Policy and Procedures
    • CP-2: Contingency Plan
    • CP-3: Contingency Training
    • CP-4: Contingency Plan Testing
    • CP-5: Contingency Plan Update
    • CP-6: Alternate Storage Site
    • CP-7: Alternate Processing Site
    • CP-8: Telecommunications Services
    • CP-9: Information System Backup
    • CP-10: Information System Recovery and Reconstitution
  6. Identification and Authentication (IA)
    • IA-1: Identification and Authentication Policy and Procedures
    • IA-2: Identification and Authentication (Organizational Users)
    • IA-3: Device Identification and Authentication
    • IA-4: Identifier Management
    • IA-5: Authenticator Management
    • IA-6: Authenticator Feedback
    • IA-7: Cryptographic Module Authentication
  7. Incident Response (IR)
    • IR-1: Incident Response Policy and Procedures
    • IR-2: Incident Response Training
    • IR-3: Incident Response Testing
    • IR-4: Incident Handling
    • IR-5: Incident Monitoring
    • IR-6: Incident Reporting
    • IR-7: Incident Response Assistance
    • IR-8: Incident Response Plan
  8. Maintenance (MA)
    • MA-1: System Maintenance Policy and Procedures
    • MA-2: Controlled Maintenance
    • MA-3: Maintenance Tools
    • MA-4: Nonlocal Maintenance
    • MA-5: Maintenance Personnel
    • MA-6: Timely Maintenance
  9. Media Protection (MP)
    • MP-1: Media Protection Policy and Procedures
    • MP-2: Media Access
    • MP-3: Media Marking
    • MP-4: Media Storage
    • MP-5: Media Transport
    • MP-6: Media Sanitization
    • MP-7: Media Use
  10. Physical and Environmental Protection (PE)
    • PE-1: Physical and Environmental Protection Policy and Procedures
    • PE-2: Physical Access Authorizations
    • PE-3: Physical Access Control
    • PE-4: Access Control for Transmission Medium
    • PE-5: Access Control for Output Devices
    • PE-6: Monitoring Physical Access
    • PE-7: Visitor Control
    • PE-8: Access Records
    • PE-9: Power Equipment and Cabling
    • PE-10: Emergency Shutoff
    • PE-11: Emergency Power
    • PE-12: Emergency Lighting
    • PE-13: Fire Protection
    • PE-14: Temperature and Humidity Controls
    • PE-15: Water Damage Protection
    • PE-16: Delivery and Removal
    • PE-17: Alternate Work Site
    • PE-18: Location of Information System Components
  11. Planning (PL)
    • PL-1: Security Planning Policy and Procedures
    • PL-2: System Security Plan
    • PL-3: System Security Plan Update
    • PL-4: Rules of Behavior
    • PL-5: Privacy Impact Assessment
    • PL-6: Security-Related Activity Planning
  12. Personnel Security (PS)
    • PS-1: Personnel Security Policy and Procedures
    • PS-2: Position Risk Designation
    • PS-3: Personnel Screening
    • PS-4: Personnel Termination
    • PS-5: Personnel Transfer
    • PS-6: Access Agreements
    • PS-7: Third-Party Personnel Security
    • PS-8: Personnel Sanctions
  13. Risk Assessment (RA)
    • RA-1: Risk Assessment Policy and Procedures
    • RA-2: Security Categorization
    • RA-3: Risk Assessment
    • RA-4: Risk Assessment Update
    • RA-5: Vulnerability Scanning
    • RA-6: Technical Surveillance Countermeasures Survey
  14. System and Communications Protection (SC)
    • SC-1: System and Communications Protection Policy and Procedures
    • SC-2: Application Partitioning
    • SC-3: Security Function Isolation
    • SC-4: Information in Shared Resources
    • SC-5: Denial-of-Service Protection
    • SC-6: Resource Availability
    • SC-7: Boundary Protection
    • SC-8: Transmission Confidentiality and Integrity
    • SC-9: Transmission Confidentiality
    • SC-10: Network Disconnect
    • SC-11: Trusted Path
    • SC-12: Cryptographic Key Establishment and Management
    • SC-13: Cryptographic Protection
    • SC-14: Public Access Protections
    • SC-15: Collaborative Computing Devices
    • SC-16: Transmission of Security Parameters
    • SC-17: Public Key Infrastructure Certificates
    • SC-18: Mobile Code
    • SC-19: Voice Over Internet Protocol
    • SC-20: Secure Name/Address Resolution Service (Authoritative Source)
    • SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)
    • SC-22: Architecture and Provisioning for Name/Address Resolution Service
    • SC-23: Session Authenticity
    • SC-24: Fail in Known State
    • SC-25: Thin Nodes
    • SC-26: Honeypots
    • SC-27: Operating System-Independent Applications
    • SC-28: Protection of Information at Rest
    • SC-29: Heterogeneity
    • SC-30: Concealment and Misdirection
    • SC-31: Covert Channel Analysis
    • SC-32: Information System Partitioning
    • SC-33: Transmission Preparation Integrity
    • SC-34: Non-Modifiable Executable Programs
    • SC-35: Hardware-Enforced Security Functions
  15. System and Information Integrity (SI)
    • SI-1: System and Information Integrity Policy and Procedures
    • SI-2: Flaw Remediation
    • SI-3: Malicious Code Protection
    • SI-4: Information System Monitoring
    • SI-5: Security Alerts, Advisories, and Directives
    • SI-6: Security Function Verification
    • SI-7: Software, Firmware, and Information Integrity
    • SI-8: Spam Protection
    • SI-9: Information Input Restrictions
    • SI-10: Information Input Validation
    • SI-11: Error Handling
    • SI-12: Information Output Handling and Retention
    • SI-13: Predictable Failure Prevention
  16. Program Management (PM)
    • PM-1: Information Security Program Plan
    • PM-2: Senior Information Security Officer
    • PM-3: Information Security Resources
    • PM-4: Plan of Action and Milestones Process
    • PM-5: System Inventory
    • PM-6: Information Security Measures of Performance
    • PM-7: Enterprise Architecture
    • PM-8: Critical Infrastructure Plan
    • PM-9: Risk Management Strategy
    • PM-10: Security Authorization Process
    • PM-11: Mission/Business Process Definition
    • PM-12: Insider Threat Program
    • PM-13: Security Architecture
    • PM-14: Testing, Training, and Monitoring
    • PM-15: Contacts with Security Groups and Associations
    • PM-16: Threat Awareness Program

Control Enhancements

Each control family contains controls with specific requirements. These controls can have enhancements that provide additional functionality or requirements to address more specific or advanced threats and risks.

Tailoring Controls

Organizations are encouraged to tailor the controls to their specific needs by:

  • Selecting the appropriate baseline based on the system’s impact level (low, moderate, high).
  • Applying overlays to address specific requirements such as privacy, industrial control systems, or cloud computing.
  • Using organization-defined parameters to customize controls to the organizational context.

Implementation Tiers

Controls are implemented at different tiers to align with the organization’s risk management strategy:

  • Tier 1: Organization Level
  • Tier 2: Mission/Business Process Level
  • Tier 3: Information System Level

Control Baselines: NIST SP 800-53 provides baseline controls categorized into low, moderate, and high impact levels based on the potential impact on an organization should a breach occur.

Updates and Revisions: NIST SP 800-53 is a living document that evolves with the changing landscape of cybersecurity threats and technologies, ensuring that it remains a relevant and effective framework for securing information systems. NIST SP 800-53 is periodically updated to address new threats, technologies, and standards. Organizations need to stay current with these updates to maintain effective security postures.

Compliance: While primarily intended for federal agencies, many private sector organizations and other entities also adopt NIST SP 800-53 as a best practice for their cybersecurity frameworks.

For detailed and up-to-date information, the full document and its revisions can be accessed on the NIST website.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Cyber Risk Countermeasures Education (CRCE)

Subscribe now to keep reading and get access to the full archive.

Continue reading