Edwin Amuga
6 min readJun 21, 2022

Review of NIST Special Publication 800–53

Abstract

The privacy and security controls in federal governmental organizations are imperative for the protection of information systems and organizations. This paper reviews the NIST Special Publication 800–53. The publication provides a catalog to guide the selection of security and privacy controls to ensure the protection of the nation, individuals, and assets of the organizations, other organizations and all aspects of federal organizational operations such as the reputation, mission, image and functions against a gamut of threats such as cyber attacks, human errors, structural failures and natural disasters. The privacy and security controls proposed in the publication can be customized and implemented at the organizational level to address security and privacy requirements and critical infrastructure in tandem with relevant federal laws, policies, directives, standards, regulations, executive orders and business needs. The publications also guides the control or overlay set development for an organization and addresses security from assurance and functionality perspectives to ensure that information systems and products of information technology developed are trustworthy.

Objectives of the Special Publication

The publication’s main objectives are to offer guidelines in selecting and specifying organizational information systems and security controls that underpin federal government agencies to meet FIPS Publication 200 requirements, The Minimum Requirements for Federal Information and Information Systems. Federal agencies must adhere to these guidelines in processing, storing, and transmitting national information. The guidelines aim to strengthen and secure information systems and effectively manage the federal government’s risks through various means.

The guidelines aim to achieve information system security by facilitating a more consistent, repeatable, and comparable means of information system selection and control specification. It also seeks to achieve this by offering a stable and flexible security control catalog to march information protection standards and requirements since future protections will be based on dynamic technologies, threats ad requirements. The guidelines also seek to recommend information system security controls that meet the FIPS Publication 199 standards. The guidelines seek to create effective security control assessment procedures and methods development foundation. Furthermore, the guidelines aim to improve inter-organizational communications through standard lexicon provision to support risk management concepts discussion. The guidelines apply to all federal information systems except the ones classified as national security systems.

Other objectives of the publications include providing a control set for information security program management implementable at the organizational level and not directed at the individual, organizational information system. The publications provide international standards and best practice-based privacy control set to aid organizations in enforcing privacy requirements following federal legislation, standards, policies, directives, and regulations. The importation of the concepts proposed by the publications will help national organizations implement more cost-effective, risk-based privacy controls.

Publications Process Steps and Definition of the Steps

An organization seeking to select specific security control tools does so to manage risks to organizational assets and operations, the nation, individuals, and other organizations associated with the particular organization’s functions. Setting up security controls based on risk prevention and management approach considers efficiency, effectiveness, and constraints about laws, policies, executive orders, deferral laws, guidelines, standards, and regulations applicable(Joint Task Force, 7). A three-tier approach is used in the risk management processes integration in an organization to address the business concerns and the business’s missions and vision. The course addresses risks at three levels; the organizational level, the business and mission level, and the information system level. Organizational risk management is done at the three levels to continuously improve activity-related risks within and without the organization and improve intra- and inter-organizational communication among stakeholders with common interests, missions, and business activities.

The first Tier, the organization level, prioritizes organizational mission and business activities and functions that determine investment and funding decisions to promote cost-effectiveness. Information technology solution efficiency is consistent with corporate strategic goals, objectives, and performance measures.

The second Tier, mission/business processes, defines the business and mission processes necessary for underpinning the organization’s business functions and mission. The Trier also determines the information systems’ security categories essential for executing business processes and tasks. It incorporates information security requirements into the business processes and mission. It establishes the organizational enterprise architecture and information security architecture to facilitate corporate information systems and environment security control allocation.

The third Tier, information systems, is a risk management framework, which involves six steps; the first one is categorizing the information system regarding the laws, guidelines, policies, directives, strategic goals and objectives, information security requirements, and resource availability and priorities. The second step, which the publication focuses on is selecting security controls for FPIS 200 and SP 800–53. In contrast, the third step is the implementation of security controls with regard to the SP 800–160. The fourth step is the assessment of security controls following the SP 800–53A. The authorization of information systems concerning the SP 800–37 is the fifth step, whereas the sixth and final steps monitor the security controls relating to SP 80–137. The Risk management framework addresses organizational security concerns concerning design, development, operations, implementation, information systems, and disposal, and the environment in which the systems operate (Joint Task Force, 8).

Structure of Security Controls

The publication describes security controls with a well-defined structure and organization. The security controls are organized into eighteen families to facilitate easy use of security control selection and specification. Every family has a general security topic related to security controls. The structure uses a two-character identifier to identify security control, families such as personnel security. Security controls encompass supervision, policy, oversight, individual actions, manual processes, and automated mechanism aspects in information devices and systems. The families are namely, access control, media protection, awareness and training, planning, audit and accountability, system and communication protection, physical and environmental safety, contingency planning, personnel security, risk assessment, security assessment and authorization, program management, maintenance, response to incidence, identification and authentication, services and system acquisition, system and communication protection, and configuration management (Joint Task Force, 9).

The security control structure comprises such components as the control section, supplemental guidance, control enhancement, referenced baseline allocation, and priority sections. The control section prescribes the activities and actions related to security carried out by the information systems and the organization. The supplemental guidance section gives non-prescriptive specific security control additional information to define, develop, and implement security controls. The control enhancement section provides security capability statements for adding functionality and control specificity and increasing control strength. The references section lists directives, federal laws, executive orders, regulations, policies, standards, regulations, and guidelines applicable to individual security controls. The section on security control baseline allocation and priority contains recommended codes used in making decisions related to sequencing during the implementation of security controls and the security control and initial enhancement allocation to baselines. The section contents are used to make decisions on sequencing for implementation of control.

Security Baselines

Organizations strive to mitigate information use and information system risks to execute business functions and the pursuit of the mission. In mitigating these risks, organizations have challenges getting the most cost-effective and appropriate security controls for efficiency and compliance with the security requirements defined by the relevant laws, policies, directives, executive orders, guidelines, and standards (Joint Task Force, 12). The concept f baseline control helps organizations select appropriate security controls for their information systems. Appendix F of this publication lists safeguards and countermeasures for information systems and organizations to facilitate compliance with relevant directives, federal laws, executive orders, regulations, policies, standards, regulations, and guidelines.

Documenting the Process of Control Selection

Organizations document decisions relating to the process of selecting security control and provide a logical and evidence-based rationale for the decisions (Joint Task Force, 42). The documentation is vital in security consideration examination for an organization’s information systems about their business and business mission. The process of documenting control, and selection process flows as a set of steps and guidance preceded by the identification of designation of standard rules, application of scoping considerations, compensating control selection, assigning of values related to security control, baseline security control supplementing, and provision of additional implementation information. The rationale for documenting security control has to be based on information systems security control that provides sufficient protection for operations, assets, individuals, and other organizations and the nation.

Bibliography

Force, J. T., & Initiative, T. (2013). Security and privacy controls for federal information systems and organizations. NIST Special Publication, 800(53), 8–13.