Introduction to NIST Cybersecurity Compliance

Share on facebook
Share on linkedin
Share on twitter
Share on email

This brief is intended to provide a high-level overview of what NIST is, what they do, and where to find more information on how to comply.

What is NIST?

NIST stands for the National Institute of Standards and Technology.  They are part of the U.S. Department of Commerce, but they are not a regulatory agency.  They’re a research lab that houses varied scientific expertise and they work with a wide range of industries and other government agencies.  Among a host of other things, they do develop several key security standards and coordinate with federal and commercial communities on how those standards are to be implemented.

NIST Publications

NIST develops various cybersecurity-focused technical publication series, including:

  • Federal Information Processing Standards (FIPS): Security standards created and published to address mandates, statutes, and other federal cybersecurity requirements.
    • A popular one is FIPS 140-3: Security Requirements for Cryptographic Modules, which specifies security requirements for cryptographic modules, including secure design and implementation, it provides four increasing, qualitative levels intended to cover a    wide range of potential applications and environments.
  • NIST Internal or Interagency Reports (NISTIR): Research analysis that contains good context for FIPS and SPs.
  • NIST Information Technology Laboratory Bulletins (ITL): Summaries and reviews of NIST’s security and privacy publications and programs, issued monthly.
  • NIST Special Publications (SP): Series of technical specifications, guidance, and best practices.
    • NIST’s SP 800 series delivers security topics to the cybersecurity community.

NIST Publications – Example SPs

You can find all the NIST pubs here: https://csrc.nist.gov/publications. Here are a few interesting ones:

  • 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems
  • 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
  • 800-63: Digital Identity Guidelines: Enrollment and Identity Proofing (A); Authentication and Lifecycle Management (B); Federation and Assertions (C)
  • 800-161 Rev. 1: Cyber Supply Chain Risk Management Practices for Systems and Organizations
  • 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • 800-190: Application Container Security Guide

What is NIST 800-53?

The most comprehensive and useful SP is NIST Special Publication (SP) 800-53, Revision 5: Security and Privacy Controls for Information Systems and Organizations. NIST 800-53 provides a catalog of security and privacy controls, organized into 20 families.  Each family contains controls that are related to the specific topic of the family [e.g., Access Control (AC), Configuration Management (CM), Risk Assessment (RA), etc.]. While compliance with 800-53 is required for U.S. federal government agencies, it’s also widely used by other organizations as their security controls framework.

You can find NIST 800-53, Revision 5 here:

https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final/.

Control Catalog spreadsheet is here:

https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/final/documents/sp800-53r5-control-catalog.xlsx

How New Control Revisions are Released

NIST SP 800-53 was initially released in February 2005 as “Recommended Security Controls for Federal Information Systems.”  New revisions are released periodically based on changing threats, vulnerabilities, requirements, and technologies, based on:

  • Threat and vulnerability information and on the tactics and techniques used by adversaries;
  • A better understanding of how to mitigate risks to systems and risks to the privacy of individuals arising from information processing; and
  • New or changing requirements in laws, executive orders, regulations, policies, standards, or guidelines.

New revisions are released as:

  • A pre-draft call for public review/comments;
  • Public drafts are then published based on submitted comments; then
  • The final publication is released.

Currently, we are on NIST SP 800-53, Revision 5 (published Sept 2020). Revision 5 fully integrates the privacy controls into the security control catalog.

Learn more:

Top 5 Interesting NIST 800-53 Families… IMO

Here are NIST 80-53 control families that I find especially important.

NIST Control Family

 Requirements

Why Important?

Access Control (AC)

Manage and enforce approved authorization for subjects (users) to access system objects (devices, files, records, domains, etc.). The lack of management/monitoring of privileged and non-privileged accounts exposes the system to adversaries and insider threat and could provide privileged access to unauthorized individuals.

Configuration Management (CM)

Establish a system baseline, analyze, and promote approved changes, harden against required benchmarks, and maintain inventory of all assets within the boundary. To prevent unauthorized configuration, or in the event of a system failure, there must be a documented baseline to rebuild compromised or newly acquired IT assets to the most current, secure baseline.

System and Communications Protection (SC)

Protect assets and data by only allowing authorized traffic in and out of the environment. Monitor and control external/internal boundaries via managed interfaces and subnetworks. Secure data in flight and at rest via cryptography and manage keys throughout lifecycle. Unencrypted data could be disclosed to unauthorized users who could potentially cause damage to IT assets or disrupt operations.

System and Information Integrity (SI)

Implement timely patch/maintenance cycles, anti-virus, intrusion detection systems, integrity verification checks, spam protection, and error handling. Failing to remediate flaws leaves a system more vulnerable to malicious code or other exploits that could potentially degrade system performance or compromise system integrity.

Supply Chain Risk Management (SR)

This is the new family that was introduced with NIST SP 800-53 Revision 5. Manage supply chain risks throughout the entire system development lifecycle. Protect against supply chain risks via acquisition, contract, and procurement strategies. Vulnerabilities within end-to-end supply chain could be exploited and could lead to the degradation of the security functionality of the system, the facilities, or the operations.

Some More Interesting NIST 800-53 Families

These control families also have an outsized impact on security and compliance posture.

NIST Control Family

 Requirements

Why is it important?

Security Awareness and Training (AT)

General and specific security training is required based on a user’s role. Upon initial onboarding and at least [annually] thereafter, all individuals must complete security awareness training. Additionally, all personnel must complete mandatory role-based security training. If users are not aware of their responsibilities and expected behavior, they may not apply the proper rules of behavior for use of the system and may use the system improperly.

Contingency Planning (CP)

Recover IT services following a system disruption, within defined Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). Produce, test, train, and maintain the Contingency Plans. See NIST 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems for guidance. All key personnel may not know how to recover the system to a known state after a disruption, compromise, or failure, which could affect the availability of the system.

Incident Response (IR)

Implement an incident response capability to effectively detect, respond to, analyze, and report security incidents. If users are aware of or suspect an IT or data security/privacy issue or incident, report it immediately to the organization’s incident response support resource (e.g., Help Desk, Incident Response Team, etc.) Lack of security incident notification may lead to security incidents not being investigated resulting in unnecessary exposure to known vulnerabilities and potential compromise and/or degradation of the system.

Risk Assessment (RA)

Identify risks to operations, assets, and individuals, incorporating threat and vulnerability analyses. Perform vulnerability scanning on all operating systems, network devices, containers, databases, and web applications within the system boundary. Remediate any findings within required timeframes. Without implementing a consistent vulnerability management process, stakeholders may be unaware of critical vulnerabilities and be susceptible to unauthorized access to the system or cause the system to become unavailable.

Useful in Mappings/Crosswalks

Given that NIST 800-53 is so comprehensive, it is often used as a “common language” amongst compliance nerds.  It’s a security and privacy control catalog that can be used universally and can be used to translate an “unknown” framework to something everyone understands. It may also be helpful when trying to gauge additional work needed to achieve any given cybersecurity certification.

Why Should I Care?

If you’re in cybersecurity, you’ll need NIST (and we’re happy to help you get acquainted).  If you’re not in cybersecurity, you’ll still need NIST for when you inevitably cross paths with FISMA, FedRAMP, various FIPS pubs like FIPS 140-3, even international frameworks like the Canadian Protected B, etc. etc. etc.

Contact Us to Get Started 

Contact us to learn more about applying the NIST security controls in your own environments.

Jeremiah Thompson

Director of Cloud Security Architecture

Jeremiah Thompson is 38North’s Director of Cloud Security Architecture. He leads 38North’s technical teams as they tackle engineering challenges and design secure, compliant cloud security architectures.

For over 18 years Jeremiah has helped clients in the commercial, defense and federal civilian sectors engineer secure solutions to modern cyber challenges. Prior to 38North, he served as a Director at Coalfire, one of the nation’s preeminent Third-Party Assessment Organizations (3PAOs). At Coalfire he led FedRAMP and DoD FedRAMP+ assessments supporting Fortune 500 organizations. He was also a Lead Information Security Compliance Auditor supporting the National Cancer Institute, and an Information Security Compliance Auditor at IBM.

Jeremiah currently holds CISSP, CISM, CAP, C|EH, Security+, Network+, CCSK and MCP certifications.

Andy Davidson

Senior Director of Cloud Security

Andy Davidson is Senior Director of Cloud Security at 38North. He leads 38North Senior Advisors as they prepare IaaS, PaaS and SaaS providers for the rigors of FedRAMP authorization. One of the nation’s most experienced FedRAMP practitioners, Andy has been supporting FedRAMP assessment and consulting efforts since the initial FedRAMP pilot project. He specializes in helping hyperscale Cloud Service Providers (CSPs) navigate FedRAMP requirements and successfully achieve Provisional Authorities to Operate (P-ATO).

Prior to 38North, Andy was Senior Director of FedRAMP and Assessment Services at Coalfire, one of the leading Third-Party Assessment Organizations (3PAOs). At Coalfire, he was responsible for growing the 3PAO practice and managing assessor teams in the execution of high profile assessments for Fortune 500 CSPs. He also helped start Veris Group’s 3PAO practice. Prior to Veris, Andy was an IT security consultant at Booz Allen Hamilton, supporting security assessments and engineering efforts across the federal government.

Linda Morales

Senior Director of Assessments

Linda Morales is the Senior Director of Assessments at 38North Security. She leads assessments for customers in the healthcare, federal and commercial spaces. She specializes in helping organizations prepare for and complete FISMA, FedRAMP and HIPAA assessments. She is adept at leading teams to deliver efficient, accurate security reviews that withstand scrutiny from federal regulators. Linda is also a recognized expert in Healthcare security, helping Health-IT providers secure and defend Protected Health Information (PHI).

Prior to 38North, Linda served as a Director at Endeavor Systems, where she played a key role growing the federal security services practice. She also served as Security Manager for the Federal Aviation Administration’s (FAA) enterprise-wide assessment program, with responsibility for 150+ systems across FAA.

Linda earned a BS in Computer Science and a Masters in Engineering Management, with a focus in Information Security, both from The George Washington University. She is also a Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), and a Registered Practitioner with the Cybersecurity Maturity Model Certification Advisory Board (CMMC-AB).

Spence Witten

Senior Advisor and Director of Business Development

Spence Witten is a 38North Senior Advisor and Director of Business Development. He serves as a trusted security advisor to 38North’s clients in the cloud services, healthcare, financial, defense and critical infrastructure communities.

Prior to 38North, Spence was Vice President of Global Sales at Lunarline. Spence led sales and marketing across ten cybersecurity business units, culminating in Lunarline’s acquisition by Motorola Solutions. Prior to becoming VP of Global Sales, Spence ran Lunarline’s US Federal Security Services practice, overseeing Lunarline’s defense, intelligence and federal civilian portfolio. He was also an early employee of Endeavor Systems. He played a key role in Endeavor’s rapid expansion in the federal, civilian, defense, and research and development markets, through to Endeavor’s successful acquisition.

An Adjunct Professor at Cleveland-Marshall College of Law, Spence serves on the Board of Directors for the Center for Cybersecurity and Privacy Protection at Cleveland State University. He is also a member of CyberOhio, the official cybersecurity advisory board for the Governor of Ohio.

Virginia Suazo

Senior Director of Cloud Security Advisory

Virginia Suazo is 38North’s Senior Director of Cloud Security Advisory. She is responsible for leading 38North’s cloud security and compliance efforts, with a speciality in helping global CSPs juggle multiple overlapping regulatory frameworks.

Before joining 38North, Virginia worked at a tech startup supporting the first and only Red Hat OpenStack Platform that is FedRAMP-authorized. She played a vital role in successfully obtaining FedRAMP Moderate and High authorizations for IaaS, PaaS, and SaaS systems, while supporting other certifications including DoD IL4/5, PCI DSS, HIPAA and HITECH. Her 15 years of cybersecurity experience also includes several tours supporting US federal agencies, including State Department, Department of Justice, Health and Human Services, Food and Drug Administration, General Services Administration and Department of Transportation.

Matt Earley

Founder

Matt Earley is 38North’s founder and President. He started 38North – the premier cloud security advisory company, in the US and internationally – to solve complex security challenges while developing trusted relationships with an elite client base.

For over 20 years Matt Earley has designed and implemented security solutions for the US and Australian federal governments, critical infrastructure, utilities, and for global finance and healthcare organizations. He focuses on lean security architecture design and prioritizing security efforts based on the critical needs of his clients.

Prior to founding 38North, Matt was the director of federal services at Endeavor Systems, where he was responsible for Endeavor’s largest business unit, serving the Federal Aviation Administration, Department of Homeland Security and some of the world’s largest security operations centers. He was also a Senior Manager in the Australian Department of Defense, where he represented Australasia on the Common Criteria Management Board.

Matt has a Bachelor of Engineering in computer engineering from the University of Canberra in Australia, and a Master’s in engineering management from George Washington University. He also is a Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).