LII:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework
4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework
Originally released in 2005, NIST's Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations has since gone through four revisions, with a fifth delayed but in the works. The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."
The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.
The controls are organized into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family Access control has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.
You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed NIST Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.
This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.
4.1 NIST Cybersecurity Framework
The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. Executive Order 13636: Improving Critical Infrastructure Cybersecurity. Building off the frameworks of NIST Special Publication 800-53 (Revision 4), COBIT 5, and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.
Version 1.0 of the framework was introduced in 2014, and by 2016:
- Seventy percent of organizations viewed the framework as "a security best practice," though fifty percent noted its required high level of investment as problematic to adoption.
- Sixty-four percent of organizations chose to use only part of the framework "due to cost and lack of regulatory pressures."
- Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.
However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement approaches. Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure. Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders," the framework is likely to be further embraced in some form worldwide.
It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon. At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.
- Miller, J. (3 September 2019). "OMB’s regulatory review is creating a backlog of cyber standards". Federal News Network - Reporter's Notebook. Hubbard Radio Washington DC, LLC. https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/. Retrieved 23 July 2020.
- National Institute of Standards and Technology (28 April 2020). "Security and Privacy Controls for Information Systems and Organizations (Final Public Draft)". Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft. Retrieved 23 July 2020.
- "NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. 22 January 2015. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final. Retrieved 23 July 2020.
- "Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience". U.S. Deapartment of Homeland Security. March 2013. https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet. Retrieved 23 July 2020.
- Chang-Gu, A. (2 March 2015). "NIST Cybersecurity Framework vs. NIST Special Publication 800-53". Praetorian Security Blog. Praetorian Security, Inc. https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53. Retrieved 23 July 2020.
- Morgan, J. (4 April 2018). "How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett". Security. BNP Media. https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework. Retrieved 23 July 2020.
- Dark Reading Staff (30 March 2016). "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Dark Reading - Attacks/Breaches. Informa PLC Informa UK Limited. https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901. Retrieved 23 July 2020.
- BizTech Staff (20 December 2017). "Why a Risk-Based Approach Leads to Effective Cybersecurity". BizTech. CDW LLC. https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity. Retrieved 23 July 2020.
- Daniel, M. (25 January 2018). "Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds". Cyber Threat Alliance Blog. https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/. Retrieved 23 July 2020.
- "NIST Releases Version 1.1 of its Popular Cybersecurity Framework". National Institute of Standards and Technology. 16 April 2018. https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework. Retrieved 23 July 2020.
- "New to Framework". Cybersecurity Framework. National Institute of Standards and Technology. 18 November 2019. https://www.nist.gov/cyberframework/new-framework. Retrieved 23 July 2020.
Citation information for this chapter
Chapter: 4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework
Title: Comprehensive Guide to Developing and Implementing a Cybersecurity Plan
Author for citation: Shawn E. Douglas
License for content: Creative Commons Attribution-ShareAlike 4.0 International
Publication date: July 2020