NIST Special Publication 800-53 is a catalog of security and privacy controls released by the National Institute of Standards and Technology for U.S. federal information systems. It includes key steps in the Risk Management Framework for the selection of appropriate security controls for information systems. This framework standards and guidelines is a requirement for federal agencies and federal contractors under the Federal Information Processing Standard (FIPS) 200.
This catalog of security and privacy controls are harmonized with controls in Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171) which a requirement for businesses doing business with the federal government to protect Controlled Unclassified Information (CUI). SP 800-53 has two companion guidelines, SP 800-53A provides implementation guidance for each step of the Risk Management Framework and SP800-53B assists in management framework security control selection.
SP 800-53A is also applicable to NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations which addresses the risks to information systems and operational technology presented by information exchanges with suppliers, acquirers, and external service providers. This standard utilizes Cybersecurity Supply Chain Risk Management (C-SCRM) processes to assess appropriate procedures, processes, policies, and strategies.
Control Families
The NIST Special Publication 800-53 families of controls designed to safeguard system and information integrity, and organizational operations and assets are as follows:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Control Assessments (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- Personally Identifiable Information Processing and Transparency (PT)
- Risk Assessment (RA)
- Systems and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- Supply Chain Risk Management (SR)
Patch Released to Address Minor Changes
In November of 2023 NIST released a patch to address minor changes in the standard. The change adds enhancement Identification and Authentication control family to provide for the protection of cryptographic keys, verification of identity assertions and access tokens, and token management. Organizations already implementing SP 800-53r5 are not mandated to implement these changes.
CMMC Requirements
In 2013 the Defense Federal Acquisition Regulation Supplemental (DFARS) 252-204-7000 went into effect in an effort to establish requirements for safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) held by DoD contractors in the Defense Industrial base. This was followed by the DFARS clause 7012 in 2016, which established NIST-SP-800-171 as the mechanism for providing this desired protection.
In 2019 the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) to provide an external mechanism for certifying levels of cyber hygiene of an organization. Following industry professionals’ concerns for the complexity, cost, and proposed timeline, the DoD released CMMC 2.0 in 2021. Among other changes, the levels for compliance were reduced from five to three.
Currently CMMC 2.0 requirements are divided into three levels of compliance:
- CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
- CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI. It requires that a third-party assessment by conducted every three years for information deemed critical for national security. It also requires an annual internal assessment.
- CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls. There is also a requirement for triennial assessments conducted by government representatives.
CVG Strategy Information Security Management System Consultants
An increasing number of businesses are finding that they are required to meet challenging information security levels to meet the requirements of conducting business with governmental agencies. To assist businesses to meet the challenges in adopting a variety of NIST Special Publication 800-53 and CMMC 2.0 requirements, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.
It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.
We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.
Photo courtesy R. Jacobson/NIST