Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today we are continuing the series on the National Institute of Standards and Technology, otherwise referred to as NIST. We are going to jump in to the NIST Special Publication 800-53 revision 5. This one doesn’t have a unique acronym either like the CSF or the RMF, as it is titled Security and Privacy Controls for Information Systems and Organizations, so we’ll just have to call it the 800-53 throughout this discussion.

So, what is the NIST 800-53? The NIST 800-53 is another security-focused publication recently revised in 2020, that brought about revision 5. This special publication was collaboratively created to lay out the purpose, fundamentals, and expansive set of security controls to help organizations better secure their networks and enterprises.

NIST 800-53 is the largest document we’ve covered to date; it is a 465 page document. Similar to the NIST 800-171, the first two chapters discuss the purpose of the document, the fundamentals, and they define the security control families you will see in chapter 3. All of this is done by page 15; chapter three begins on page 16 and goes all the way through page 373! Why so many pages in chapter three? Chapter three starts the definition of every security control in each security control family.

It is a very long read, but worth the time as the security control definitions help the reader understand what the control is for or what the purpose is of that particular control. Security control discussions amongst security professionals are almost a constant. Deterrent controls, detective controls, compensating controls, the list goes on and on. This document defines all of those in detail.

Stepping back, let’s jump into chapter 1. After the introduction there is a section that describes the target audience for this publication. That target audience in section 1.2 is as follows:

  • Individuals with system, information security, privacy, or risk management and oversight responsibilities, including authorizing officials, chief information officers, senior agency information security officers, and senior agency officials for privacy;
  • Individuals with system development responsibilities, including mission owners, program managers, system engineers, system security engineers, privacy engineers, hardware and software developers, system integrators, and acquisition or procurement officials;
  • Individuals with logistical or disposition-related responsibilities, including program managers, procurement officials, system integrators, and property managers;
  • Individuals with security and privacy implementation and operations responsibilities, including mission or business owners, system owners, information owners or stewards, system administrators, continuity planners, and system security or privacy officers;
  • Individuals with security and privacy assessment and monitoring responsibilities, including auditors, Inspectors General, system evaluators, control assessors, independent verifiers and validators, and analysts; and
  • Commercial entities, including industry partners, producing component products and systems, creating security and privacy technologies, or providing services or capabilities that support information security or privacy.

So, after hearing the target audience for this publication, does that describe you, your organization, or anyone you know in the security industry? As you heard, this publication is meant for a very broad range of people and organizations. While it is not mandated for use outside of the federal government, it might just behoove you or your organization to give it a read and see about applying the knowledge within to bolster your security posture.

Speaking of organizations, look at section 1.3 which is titled “organizational responsibilities”. The responsibilities state the following:

Managing security and privacy risks is a complex, multifaceted undertaking that requires:

  • Well-defined security and privacy requirements for systems and organizations;
  • The use of trustworthy information system components based on state-of-the-practice hardware, firmware, and software development and acquisition processes;
  • Rigorous security and privacy planning and system development life cycle management;
  • The application of system security and privacy engineering principles and practices to securely develop and integrate system components into information systems;
  • The employment of security and privacy practices that are properly documented and integrated into and supportive of the institutional and operational processes of organizations; and
  • Continuous monitoring of information systems and organizations to determine the ongoing effectiveness of controls, changes in information systems and environments of operation, and the state of security and privacy organization-wide.

How does your organization stack up to those responsibilities? If you notice gaps, use the 800-53 to help close those gaps. It will help both the security professional and organizational leadership alike both learn more about what is needed to increase overall security.

Chapter two starts to link the ideas surrounding security defined in chapter 1 with fundamentals, and helps the reader understand how the control families are structured and defined. By the time you get to chapter three you will know the difference between control identifiers, control name base controls, and control enhancements amongst other areas. Section 2.3 provides control implementation approaches to help guide the reader through the implementation process. The remaining sections in chapter 2 provide more in-depth information regarding security, privacy, trustworthiness, and assurance.

Now, as is typical with the NIST publications, after the meat of chapter three comes the appendices. Again, like the 800-171 the appendices provide excellent supplementary material. References to other NIST publications, a glossary, useful acronyms, and control summaries round out the remainder of the publication. Block off a period in time to become familiar with this publication, as it can help everyone become better aware of security and the responsibilities that come with it.

We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!