User:Shawndouglas/sandbox/sublevel3

National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg

Originally released in 2005, NIST's Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations has since gone through four revisions, with a fifth delayed^[1] but in the works.^[2] The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."^[3]

The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.

The controls are organized into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family Access control has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.

You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed NIST Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.

This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.