Archive for 800-53

You are browsing the archives of 800-53.

New Insider Threat Controls in 800-53 rev4 DRAFT

NIST is working on a DRAFT revision to 800-53 controls that is known as rev4. The new controls include materials related to insider threats. PM-12 (0) INSIDER THREAT PROGRAM – this is the master control requiring an insider threat program, including a team that is focused on insider threat incident handling. The team needs to […]

New OPSEC Controls in 800-53 rev4

NIST SP 800-53 includes the catalog of security controls that form the core of the “security bible” that is required guidance for federal agencies. NIST periodically reviews the list of controls and updates them. They are currently in the process of taking public comments on the latest revision (rev4) before they go “final”. Included in […]

Cloud Security as an Interconnection

Connecting your information system to a cloud is an interconnection. NIST guidance on handling the security of interconnections is documented in SP 800-47 “Security Guide for Interconnecting Information Technology Systems”. The security protections required for an interconnection will depend upon the nature of the connection being established. If the connection uses a clearly limited profile […]

Agile Defense with NIST Controls

Agile Defense In the past, information systems security often focused simply on perimeter defense, wrongly assuming that a strong perimeter was the only defense needed. Then, as regulations became more complex and more legal, infosec became more “compliance-centric”, trying to pass the security audits required by law. Compliance oriented security produces reams of paperwork and […]

Continuous Monitoring

Continuous monitoring is about keeping an ongoing watch on how well your security controls are doing their job. NIST introduced this idea back in 2004 when they were also evangelizing about the Authorization process, then known as Certification and Accreditation (or C&A). By law (FISMA), NIST supplies federal organizations with security guidance, which can be […]

Federal Cyber-Security

NIST (National Institute of Standards and Technology) has provided Federal Agencies with all the tools they need to get cyber-security done right. But obviously, it’s not being done right yet at most agencies. Why not? Failure to understand the threat level – this was certainly once the top problem… maybe not so much anymore with […]

800-53 rev3 IPD

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site. [note – IPD means the document is in “draft” mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months […]

Policy and Procedure

Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family: 800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES Control: The organization develops, disseminates, and periodically reviews/updates: (i) […]

Supplementing Controls

After the baseline of security controls have gone through the tailoring process of: scoping guidance, compensating controls and organizationally defined parameters, it is possible that additional controls or enhancements may be needed in order to mitigate the risk that has been assessed. It is also possible to simple add restrictions to already existing controls. There […]

Tailoring Controls

NIST SP 800-53 sets terms and conditions for tailoring the security control baseline to organizational and operational needs.   There are three specific areas addressed as follows: Scoping Guidance Compensating Controls Organizationally Defined Parameters Scoping Guidance offers considerations on how individual security controls are applied and implemented. The following areas are discussed: Common Controls Common Controls […]