Choosing the Proper NIST Standard

This article details the three NIST templates available in myITprocess: Special Publication 800-53, 800-171, and the Cybersecurity Framework (CSF).

The National Institute of Standards and Technology (NIST) sets and maintains standards and best practices for various domains. As a regulatory authority, they are the de facto standard of best practices—at least in the United States. Federal and state governments often rely on and map rules, regulations, laws—almost anything requiring oversight—to NIST Special Publications (SPs). It is the intention of these publications to set the standard.

As of this writing, myITprocess has three templates available for NIST-specific compliance:

  • 800-53 - Recommended Security Controls for Federal Information Systems and Organizations
  • 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • CSF 1.1 - Framework for Improving Critical Infrastructure Cybersecurity

Each template has its own purpose and when used alone may not make sense. But when a regulation like the Federal Risk and Authorization Management Program (FedRAMP) establishes its objectives, they use NIST 800-53 security controls as the baseline to address the unique elements of cloud computing. Understanding the difference between the three standards can help decide how to best assess customers for a particular compliance program.

NIST 800-53 - Recommended Security Controls for Federal Information Systems and Organizations

In 2002, the Federal Information Security Management Act (FISMA) was signed into law in the United States. The legislation aims to define a comprehensive framework to protect government information, operations, and assets against natural and man-made threats. The purpose of this legislation is to assign responsibilities to various government agencies to ensure the security of data in the federal government. This is where SP 800-53 comes into play.

NIST outlines nine steps towards compliance with FISMA:

  1. Categorize the information to be protected.
  2. Select minimum baseline controls.
  3. Refine controls using a risk assessment procedure.
  4. Document the controls in the system security plan.
  5. Implement security controls in appropriate information systems.
  6. Assess the effectiveness of the security controls once they have been implemented.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls on a continuous basis.

Compliance with FISMA works directly with the security controls set in 800-53. Each control is specifically designed to secure data within the federal government. The nine steps listed by NIST are part of each control and help organizations follow the 2002 law.

800-53 Abstract:

This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and assurance helps to ensure that information technology component products and the information systems built from those products using sound system and security engineering principles are sufficiently trustworthy.

The 800-53 Special Publication has gone through many versions and at the time of this writing is on revision 4. Revision 5—which was due to be finalized December 2018—is still in draft form with no specified date for publication. Revision 5 will remove the “federal” from the title to state that these regulations are applicable to all organizations, public and private.

When is the right time to use 800-53? FISMA details cover Federal institutions and their information systems. In some cases, 800-53 applies to contractors if they operate federal systems like providing a cloud hosting platform. An example of use is the Federal Risk and Authorization Management Program (FedRAMP).

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant Agency security assessments.

Is FedRAMP mandatory?

Yes, FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high-risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception. Additionally, Agencies must submit a quarterly report in PortfolioStat listing all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions for achieving compliance.

How will FedRAMP help make cloud computing more secure for the federal government?

FedRAMP requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 Revision 4. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.

It is safe to say that when a customer is either a federal agency or a contractor that hosts federal data, 800-53 applies to them. When uncertain, always revert to the strictest guidelines for securing information systems. Contact the proper federal and state agencies to confirm compliance with specific regulations.

The myITprocess Template

The NIST 800-53 template is word for word of the official regulation. There is no interpretation or definition of terms performed by the TruMethods team. This is intentional as not to imply an interpretation of the regulations and leave it up to the member. If TruMethods defines the security controls then we are in turn defining the process. This is not the intention.

The screenshot above shows the direct transition to the Standards Library. The security controls and definitions remain intact for self-interpretation and implementation. While this may seem confusing or ineffective to some members, it is to have these particular publications in myITprocess format. Each category and question is editable to the user’s liking.

When To Use This Template

Federal agencies use 800-53 to follow the Federal Information Processing Standards (FIPS) 200 requirements. Unless a customer is a federal agency, this template will likely not apply to them. Even though it is specific to government agencies, the framework has its uses in other industries’ information security program and deserves attention.

Resources

Regulatory Authority Name of Publication Link to Information
NIST SP 800-53 Rev. 4 https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
FedRAMP Security Assessment Framework https://www.fedramp.gov/about/
FISMA FISMA Act https://www.dhs.gov/cisa/federal-information-security-modernization-act

 

NIST 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

While it is vital for federal agencies to secure their data, it is equally important for contractors to protect information. NIST 800-171 aims to protect Controlled Unclassified Information (CUI) on Nonfederal systems by establishing a framework like 800-53. The controls in the 800-171 framework relate to 800-53 but are more generalized. This allows more flexibility for smaller organizations to adopt similar security controls.

NIST 800-171 has increased in popularity due to mandated compliance with the framework by December 2017. The US Department of Defense sets the requirements for organizations handling CUI. Manufacturers and their subcontractors must enact the IT security framework to bid on new (government) business opportunities.

Like 800-53, the 800-171 framework allows an organization to self-certify—meaning they comply on the honor system. There is no agency that performs an assessment and grants a seal of approval.  But an audit may occur at any time for those requiring compliance. Security controls from 800-171 can map to 800-53 using the former as a baseline to follow the latter.

NIST 800-171 Abstract:

The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

NIST 800-171 security controls are the core framework for the Defense Federal Acquisition Regulation Supplement, or DFARS, which applies to all Department of Defense contractors that process, store, or transmit CUI. Non-compliance by December 2017 make a contractor at risk for losing DoD contracts.

DFARS set a minimum threshold for cybersecurity requirements, all which map directly to NIST 800-171.

DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The DFARS cybersecurity rule and clauses and be found at http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm

The myITprocess Template

The template for 800-171 is like 800-53 in that each security control comes from the source. There has been no interpretation or definition of terms for any of the questions. Lack of inclusion is by design and not intended as a mistake. A service provider should come to their own conclusions and interpret how questions fit their customer’s needs.

The screenshot above shows how the 800-171 template is displayed in myITprocess. Note how question text other fields are unaltered from the original text.

When To Use This Template

Although the Department of Defense mandated all government contractors to follow these requirements, the template has relevant use outside of government agencies. Contractors store, process, and send Controlled Unclassified Information in nonfederal systems and organizations. Since it deals with contractors and not the agencies themselves, the 800-171 framework applies to most third-party businesses.

The 800-171 framework is ideal for generalized protection. It would not replace industry-specific compliance requirements like PCI or COBIT. If a medium to large business has interest in hardening their systems—as a government contractor or not—this template is a potentially good choice.

Resources

Regulatory Authority Name of Publication Link to Information
NIST SP 800-171 Rev. 1 https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
DFARS Defense Federal Acquisition Regulation Supplement https://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html
DFARS/800-171 Compliance DFARS Cybersecurity Requirements https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars800-171-compliance

 

CSF 1.1 - Framework for Improving Critical Infrastructure Cybersecurity

The Cybersecurity Framework (CSF) is another framework developed by NIST under Executive Order 13636, "Improving Critical Infrastructure Cybersecurity" and released in February 2013. These standards intend to address critical US infrastructure like energy production, water and food supplies, and transportation. These industries are being targeted by nation-state actors due to their strategic importance to US infrastructure.

The focus of the CSF is risk analysis and management. The security controls included in the framework depend on phases of risk management:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recovery

Each phase includes heavy involvement by management in the organization. They are a major key to success in any information security program. The structure of the CSF is useful to a wider set of organizations in many industries with varying security requirements. Even though these standards are a development of NIST due to Executive Order, they have not nor plan to replace other regulations like 800-53 and 800-171.

As of this writing, the NIST CSF is at version 1.1. An abstract of the framework is as follows.

The Framework for Improving Critical Infrastructure Cybersecurity focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.

NIST offers a resource called “Cybersecurity Framework Steps for Small Manufacturers” which outlines how the CSF is beneficial for small to medium-sized manufacturers. The framework centers around preventing cyber attacks because many of these companies do not have adequate preventive measures in place. The resource indicates Five Steps to Reduce Cyber Risks:

 

The myITprocess Template

Like the previous templates, the CSF questions are a direct copy from the source. The language used is more plain-English and a bit easier to follow. This is likely due to acceptance by a wider audience that may not have auditing experience.

 

When To Use This Template

The CSF focuses on cybersecurity risk analysis and risk management. As mentioned before, the framework addresses critical US infrastructure vulnerabilities exploitable by nation-state actors. The security controls follow the defined phases of risk management: identify, protect, detect, respond, and recovery. The simpler structured process gives flexibility to a wider set of organizations and is useful to any size business vulnerable to cyber threats.

Resources

Regulatory Authority Name of Publication Link to Information
NIST Cybersecurity Framework https://www.nist.gov/cyberframework
NIST/MEP Cybersecurity Framework Steps for Small Manufacturers https://www.nist.gov/mep/cybersecurity-resources-manufacturers/nist-cybersecurity-framework
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us