Why we use NIST 800-53 as our base-level Security Standard
The SPIO platform helps small companies build, mature, and document their security programs. We designed the SPIO platform around the NIST 800-53 standard. It's the model for the policies, training, and task buckets we’ve created for our clients to use. Our clients don't have to start with NIST 800-53, but we believe it is a useful jumping off point for most small companies. Using it as the model provides an effective roadmap toward developing a robust security program that complies with many common information security standards.
Here’s why we use it as a baseline standard and how it helps small companies achieve compliance.
BUT FIRST, A BRIEF HISTORY OF NIST 800-53
First titled "Recommended Security Controls for Federal Information Systems," NIST 800-53 was initially published in 2005. Its purpose was to improve security of the information systems of federal agencies. To achieve this, the publication provided guidelines for selecting and specifying security controls.
NIST 800-53 Rev. 3 (2009) was its first major revision. The changes included updating security control baselines to reflect evolving threats, providing recommendations on prioritization of security controls, and more closely aligning NIST 800-53 with other standards.
As part of its fourth revision, in 2013 the publication was renamed as a Special Publication on "Security and Privacy Controls for Federal Information Systems and Organizations". This revision expanded its scope beyond civilian agencies to the Department of Defense and Intelligence Community. It also expanded the scope of threats addressed. For example, security controls were added to address mobile and cloud computing, supply chain security, and insider threats.
NIST 800-53 Rev. 4 remains in effect until September 23, 2021, when NIST 800-53 Rev. 5 will take effect. The control selection process and baseline sections have been moved to other special publications. Instead, NIST 800-53 Rev. 5 focuses on the control families and controls themselves. The goal in moving selection and baseline guidelines elsewhere is to provide greater flexibility for different organizations in determining which controls to use in their security program.
The updated control families and control list has been re-organized and expanded. For example, there are now control families specifically for privacy and supply chain risk management. Overall, revision 5 has 20 control families (up from 18) and over 1000 controls (up from 800).
WHY NIST 800-53 MAKES A GOOD BASELINE STANDARD
It isn't enough to have strong security; your company must also be seen to have strong security. We wanted our platform to help small companies achieve both. We decided to build our platform so our clients could show third parties that their security program aligns with a well-known security standard.
The question at the time was this: Which widely-accepted security standard do we use? We chose NIST 800-53 because it is:
Broad and comprehensive. Many standards have a narrow focus. For example. SOC 2 applies to service organizations and PCI DSS applies only to credit card transactions. These are valuable security standards within their sphere, but they're too specific to work as a baseline.
Open and accessible. Anyone can download all the NIST publications, including NIST 800-53 and its related publications. Other broad standards, like the ISO standards, come with significant licensing fees. Ultimately, these fees would impact cost accessibility of the platform for small companies. More importantly, openness means everyone knows what's in the NIST standards. Companies can demonstrate their compliance without paying for costly certification or auditor services.
Upstream from many other security standards. Many other common standards are derived from NIST 800-53. CMMC, FedRamp, and NIST 800-171 are just a few. With so many standards flowing from 800-53, it's a strong foundation for achieving compliance with other standards. The SPIO platform maps security tasks across most common standards. So as our clients work through task lists based on 800-53, they see how those tasks map to requirements of other standards.
Prescriptive and flexible. NIST 800-53 and its related publications provide a methodology companies can use to guide their selection of controls and a detailed list of controls. Other standards, like SOC 2, outline the domains that companies must address, but don't offer too much specific guidance on how to do it. NIST 800-53 is designed with a variety of controls so that each company has the latitude to make its individual choices while still remaining within the standard.
Our choice of NIST 800-53 as the SPIO platform base-level standard doesn't mean it's perfect. No security standard is. For example, because it's so broad, it can also seem overwhelming. Companies can avoid the overwhelm by working with a platform like ours, which breaks 800-53 into task buckets they can work through sequentially. On balance, NIST 800-53 creates a solid foundation for establishing and maturing a security program.
WHAT MEETING NIST 800-53 MEANS FOR YOUR BUSINESS
The breadth of NIST 800-53's scope and its extensive list of controls provides a practical roadmap for continuous, incremental security improvement. Making progress through each of its control families strengthens your security posture. Its comprehensiveness ensures that you work through all the critical security questions you need to address.
Meeting the NIST 800-53 standards does more than improve your security program. It also improves your company’s security compliance with a broad range of common security standards. The fact that so many other security standards are downstream from 800-53 means complying with it takes you a long way towards complying with other standards.
Security compliance is the "being seen" part of maintaining a strong program. Potential partners and customers may want to see your level of CMMC compliance, a SOC 2 report, or some other popular security standard. Even those that don't require a formal certification or an audit report often want to see proof of a solid security program that aligns with a well-known standard.
The SPIO compliance management software helps provide that proof. Each task is cross-referenced with the corresponding requirements in many standards. As your company progresses through tasks based on the NIST 800-53 framework, you're also checking off the aligned requirements in other standards. Your SPIO dashboard shows your progress against all the applicable standards.
If your company does a good job with NIST 800-53, then you've eased your path for certification or passing an audit. Each auditor or certifier has their own interpretation of the control framework and checklist of what they want to see. So, most companies still have some work to do before getting certification or the audit is complete to satisfy the certifier or auditor. The question is how much work?
When you've already made good progress through many of the 800-53 control families, your company will have most of that work done. You don't have to start from scratch when a potential customer wants to see how well you comply with their preferred standard. Nor will you have to suffer extensive delays to prepare for certification or an audit since you’ll have completed so much of the work by complying with NIST 800-53.
GETTING STARTED WITH NIST 800-53
Because 800-53 is such a broad standard, we start by assessing our clients’ security goals. Then we have them get started in our system by adopting security policies on different issues. From there, tasks within the 800-53 framework are organized in buckets around those IT security policy areas. This approach lets them build towards their goals over time and in a manageable way.
Sometimes a company really wants to ease into building a security program before jumping into a comprehensive standard like 800-53. In those cases, we start with a small group of well-defined tasks, like setting up multi-factor authentication, setting up a program to track data shared with partners, and conducting employee security awareness training. It’s a core of quick wins that build confidence to move to a more formal, complex security standard.
NIST 800-53 IS THE BASELINE FOR CONTINUOUS IMPROVEMENT
Meeting requirements of 800-53 provides a solid foundation, but the truth is that managing your security program is an on-going project. You’re never done. But if you start making progress now and grow as the standard and its controls evolve, you will reach a maintenance state. In a maintenance state, you re-assess existing tasks previously completed and add new tasks aligned with new control families. Your company continues to make progress against more standards and raise the quality of its security program.