Although we’re in the cloud age and almost all companies have their workloads in the cloud and are aware of how cyber-attacks and cyber-crimes are increasing day by day, not all these organizations are able to cope up with information security and privacy. On the other hand, not all these organizations have the cybersecurity expertise to build their own security team, processes, and systems to protect, secure, and monitor all the assets of their infrastructure.
Advertisment
That’s why we have frameworks and standards to follow, after which we’ll be able to say that “we’re compliant” with a particular framework. One of the frameworks we’ll be discussing in this blog is the NIST framework and specifically NIST 800-53 rev5.
So, what is NIST, and what is NIST 800-53?
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Commerce Department and responsible for developing and enabling information security standards and guidelines across federal agencies. NIST publishes the Frameworks for Improving Critical Infrastructure for various levels of organizations. NIST has various standards for several fields; here we’ll be focusing on the NIST cybersecurity framework and specifically NIST Special Publication 800-53 revision 5 (NIST SP 800-53 rev5).
Advertisment
The Special Publication 800-53 series provides research, guidelines, and outreach efforts in information systems security and privacy. As per the NIST, revision 5 of the SP 800-53 has more emphasis on privacy and security aspects. It is a layered approach for the development of the security and privacy controls needed to strengthen and support the federal government and every sector of critical infrastructure.
Why NIST 800-53 rev 5?
The main goals of the development of rev5 of NIST 800-53 are as follows:
Advertisment
1. Providing an all-inclusive and mutable collection of controls for current and future protection based on changing technology and threats
2. Helping organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974 , OMB policies (e.g., ), and designated Federal Information Processing Standards (FIPS), among others
3. Improving communication among organizations by providing a common guideline that supports the discussion of security, privacy, and risk management concepts
Advertisment
In addition to its goals, any private organization can also adopt it using its vast range of privacy and security control families to protect their privacy and security of their information.
Who should be compliant with NIST 800-53?
NIST 800-53 standard is mandatory for all federal information systems, organizations, and agencies in the USA. Any organization that works with the federal government is also required to comply with NIST 800-53 to maintain the relationship.
Advertisment
However, since the framework serves solid guidelines to help implement, improve and maintain the security and privacy best practices, it can be used by commercial entities, including industry partners, producing component products and systems, creating security and privacy technologies.
If you are not required to maintain NIST, anyone operating in the public cloud should maintain a level of compliance with a framework relevant to the business requirements. NIST can help to deter account takeovers or data breaches which often occur becauseto lack of visibility of misconfigurations.
The Controls
Advertisment
NIST 800-53 rev5 offers almost 300 privacy and security controls distributed among 20 different control families. The controls are designed to achieve a consistent level of protection and strengthen the integrity across federal information systems.
ID
Control family
Advertisment
Summary
AC
Access Control
Access management, account management, system privileges.
AT
Awareness and Training
User training on security threats, training for privileged users.
AU
Audit and Accountability
Audit policies and procedures, audit logging, audit report generation, and protection of audit information.
CA
Assessment, Authorization, and Monitoring
Execution of security assessments, authorizations, continuous monitoring, and system interconnections.
CM
Configuration Management
Changes to information system, component inventories and security impact analysis control.
CP
Contingency Planning
Contingency plan testing, updating, training, and backups, and system reconstitution.
IA
Identification and Authentication
Identification and authentication of organizational and non-organizational users.
IR
Incident Response
Incident response training, testing, monitoring, reporting, and response plan.
MA
Maintenance
Maintaining organizational systems and the tools used.
MP
Media Protection
Access, marking, storage, transport policies, sanitization, and defined organizational media use.
PE
Physical and Environmental Protection
Physical access authorizations, monitoring, visitor records, power, lighting, fire protection, and water damage protection.
PL
Planning
Security and privacy plans for the system, social media use, networking restrictions.
PM
Program Management
Infrastructure plan, information security program plan,risk management strategy, and enterprise architecture.
PS
Personnel Security
Personnel screening, termination and transfer,access agreements, sanctions.
PT
Personally Identifiable Information Processing and Transparency
Personally identifiable information across the information life cycle.
System documentation controls, development configuration management controls, and developer security testing and evaluation controls.
SC
System and Communications Protection
Boundary protection, protection of information at rest, cryptographic protection, denial of service protection.
SI
System and Information integrity
Malicious code protection, system monitoring, security alerts, software and firmware integrity, and spam protection.
SR
Supply Chain Risk Management
Supply chain risk management, process,tools and methods.
Table: The Controls
Are you compliant?
Basically, when we talk about frameworks or standards, it all comes down to being compliant to them. Now that we know all of NIST and its controls, it’s time to check whether we’re compliant or not.
Simply onboard the cloud environment to Check Point CloudGuard and find out the compliance of your environment for the NIST-800-53 rev5.
Tips and tricks
Here are some of the tips and tricks you can follow to simplify and understand adherence to the NIST 800-53 rev5 framework.
1. Create organization-wide policies and procedures for security and privacy best practices.
2. Categorize your data – Sensitive, non-sensitive, public, etc.
3. Develop and maintain processes to manage assets, user privileges, network access, etc.
4. Train and spread awareness to all the users/employees about the organization’s policies and procedures.
5. Finally, make sure you are working towards achieving compliance at all times.
Summary
NIST describes United States federal government policies, procedures, and guidelines for information system security. The NIST 800-53 rev5 talks about the need and gives guidelines for organizations to implement, maintain, and improve information security and privacy. The NIST 800-53 rev5 has almost 300 controls spread into 20 families that organizations can choose depending on the nature of the organization. Even though NIST compliance is mandatory for federal offices, any government or private organization can benefit from this framework.
By Amardip Deshpande – CloudGuard, Research Team, CPR
/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/post_banners/wp-content/uploads/2020/04/Cyber-Security.jpg)