Regulatory and Standard Compliance

The NIST SP 800-53 is a collection 1189 controls divided over 20 NIST control families. 

Control Family 1 - Access Control

The NIST 800-53 Access Control family is about controlling access to applications and information.

Description

The Access Control family includes controls such as identification and authentication, authorization, and non-repudiation. These controls help to ensure that only authorized users can access sensitive information and that any actions taken by those users can be traced back to them. In other words, the Access Control family is all about controlling who can see what, and making sure that there are no unauthorized action taking place.

Members

NIST SP 800-53 defines the 25 members of the Access Control family. Each member of the family has a set of controls.

Control family 2 - Awareness and Training

The Awareness and Training NIST 800-53 control family helps to train people who use and create information systems.

Description

The Awareness and Training control family is responsible for ensuring that people who use and create information systems are properly trained. This includes developing and delivering training programs, as well as conducting research to identify emerging training needs. Recently, the family has played an increasingly important role in helping to prevent information security breaches.

By teaching people how to properly use and secure information systems, Awareness and Training helps to protect our nation's critical infrastructure from those who would do it harm.

Members

NIST SP 800-53 defines the 6 members of the Awareness and Training family. Each member of the family has a set of controls.

Control Family 3 - Audit and Accountability

The Audit and Accountability NIST 800-53 family provides controls regarding event logging and auditing.

Description

The Audit and Accountability control family is responsible for ensuring that events are properly logged and audited. This includes ensuring that all events are logged in a central location that logs are rotated regularly, and that appropriate security audit trails are maintained. This control family is also responsible for ensuring that authorized users have access to the logs and that unauthorized users are prevented from accessing or modifying the logs.

In addition, the Audit and Accountability control family is responsible for ensuring that the logs are properly backed up and that they can be used to reconstruct past events. Logging is critical for security professionals when performing forensics.

Members

NIST SP 800-53 defines the 16 members of the Audit and Accountability family. Each member of the family has a set of controls.

Control Family 4 - Assessment, Authorization, and Monitoring

The Assessment, Authorization and Monitoring family covers the monitoring, maintenance and improvements of security and privacy controls.

Description

The Assessment, Authorization and Monitoring control family covers the monitoring, maintenance and improvements of security and privacy controls. The control objective for this control family is to ensure that security and privacy controls are effective and remain so over time.

This control family includes control activities such as: Performing periodic audits of security and privacy controls; Monitoring the effectiveness of security and privacy controls; Maintaining records of security and privacy incidents; and investigating potential incidents.

By implementing these activities, organizations can help ensure that their security and privacy controls are effective in protecting their systems and data.

Members

NIST SP 800-53 defines the 9 members of the Assessment, Authorization, and Monitoring family. Each member of the family has a set of controls.

Control Family 5 - Configuration Management

The Configuration Management family contains controls to manage, asses and improve configuration of software and systems.

Description

The Configuration Management control family includes a number of different controls aimed at managing, assessing, and improving the configuration of software and systems.

This control family is important because it helps to ensure that systems are properly configured and that changes are made in a controlled and consistent manner. Configuration management controls help to ensure that systems are stable and that changes can be easily undone if necessary. They also help to prevent unauthorized changes from being made to systems.

Members

NIST SP 800-53 defines the 14 members of the Configuration Management family. Each member of the family has a set of controls.

Control Family 6 - Contingency Planning

The Contingency Planning NIST 800-53 control family contains controls to prepare organizations for contingencies.

Description

The Contingency Planning control family contains controls that help organizations prepare for contingencies. These controls include identifying potential cyber-risks, developing plans to mitigate those risks, and testing those plans to ensure they are effective. By implementing these controls, organizations can be better prepared to respond to disruptions and minimize the impact of potential disruptions on their operations.

In addition, the Contingency Planning control family can help organizations recover from disruptions more quickly and effectively. By having a well-developed contingency plan in place, organizations can minimize the impact of disruptions and get back to business as usual more quickly.

Members

NIST SP 800-53 defines the 14 members of the Contingency Planning family. Each member of the family has a set of controls.

Control Family 7 - Identification and Authentication

The Identification and Authentication family contains NIST 800-53 controls to protect the identity of users and devices.

Description

The Identification and Authentication control family helps to protect the identities of users and devices. This control family includes controls such as multifactor authentication, which requires users to provide more than one form of identification before being granted access to a system.

This helps to ensure that only authorized users can access sensitive information. The Authentication control family also includes controls such as device identification and device fingerprinting. These controls help to ensure that devices are correctly identified and that they have not been tampered with. By implementing the controls in this family, organizations can help to protect the identities of their users and devices.

Members

NIST SP 800-53 defines the 12 members of the Identification and Authentication family. Each member of the family has a set of controls.

Control Family 8 - Incident Response

The Incident Response family contains NIST 800-53 controls that help with responding to significant incidents.

Description

The Incident Response control family contains controls that help with responding to significant incidents. This control family includes control objectives such as identifying and reporting incidents, investigating incidents, and taking corrective and preventive action. The goal of these controls is to help organizations minimize the impact of incidents and prevent future incidents from occurring.

By implementing the controls in this family, organizations can improve their incident response capabilities and be better prepared to handle significant incidents.

Members

NIST SP 800-53 defines the 10 members of the Incident Response family. Each member of the family has a set of controls.

Control Family 9 - Maintenance

The Maintenance family of NIST 800-53 controls handles all aspects of system maintenance, such as software updates, logging, and inspection tools.

Description

The Maintenance control family is responsible for all aspects of system maintenance, such as software updates, logging, and inspection tools. This control family is important because it helps to ensure that the system is up-to-date and compliant with company policies.

In addition, this control family can help to identify potential problems early on and prevent them from becoming serious issues. The Maintenance control family is an important part of any system and should be given the attention it deserves.

Members

NIST SP 800-53 defines the 7 members of the Maintenance family. Each member of the family has a set of controls.

Control Family 10 - Media Protection

The controls in the Media Protection family covers how media and files are used, stored, and safely destroyed.

Description

The control family known as Media Protection comprises controls designed to protect media and files from unauthorized access or use, to ensure the safe storage of media and files, and to ensure the safe destruction of media and files when they are no longer needed. This control family includes controls such as data classification, media sanitization, and secure disposal. Data classification is the process of assigning a label to data based on its sensitivity, which helps to ensure that only authorized personnel have access to the data.

These controls are essential for protecting media and files from unauthorized access or use, for ensuring the safe storage of media and files, and for ensuring the safe destruction of media and files when they are no longer needed.

Members

NIST SP 800-53 defines the 8 members of the Media Protection family. Each member of the family has a set of controls.

Control Family 11 - Physical and Environmental Protection

The controls in the Physical and Environmental Protection family covers how to protect physical locations.

Description

The Physical and Environmental Protection family addresses how to protect physical locations, such as data centers and server rooms. This includes controls related to security fencing, perimeter security, locked doors and windows, environmental monitoring, and power management. By implementing these controls, organizations can help to prevent unauthorized access to their facilities and ensure that their systems are protected from damage due to power outages or environmental hazards.

Members

NIST SP 800-53 defines the 23 members of the Physical and Environmental Protection family. Each member of the family has a set of controls.

Control Family 12 - Planning

The Planning family of controls is about the creation and approach to cybersecurity and privacy related plans.

Description

The Planning control family is about the creation and management of it-security and privacy plans. This control family includes processes and tools for developing, communicating, and maintaining organizational security and privacy plans.

The goals of this control family are to ensure that security and privacy plans are aligned with organizational objectives, security requirements, and risk tolerances; to ensure that these plans address identified risks; and to ensure that they are regularly reviewed and updated.

These controls are important because they help organizations to establish a common understanding of the importance of security and privacy, to identify risks and control measures, and to develop an approach for addressing these risks. By implementing this control family, organizations can improve their overall security posture and reduce their exposure to cyber and privacy risks.

Members

NIST SP 800-53 defines the 11 members of the Planning family. Each member of the family has a set of controls.

Control Family 13 - Program Management

The Program Management family of controls contains controls to manage cybersecurity and privacy programs.

Description

The Program Management control family contains controls to help agencies manage cybersecurity and privacy programs. The control objectives in this family are: control program effectiveness; control program inputs; control program outputs; and control program risks. Each control in this family is important to the overall management of an agency's computer-security and privacy programs.

The first objective, control program effectiveness, helps ensure that cybersecurity and privacy programs are achieving their desired outcomes, such as solving security issues.

The second objective, control program inputs, ensures that organizations have the resources and oversight they need to effectively manage their security-programs.

The third objective, control program outputs, helps organizations to measure and track the progress of their programs. Finally, the fourth objective, control program risks, helps agencies to identify and mitigate risks to their programs. By implementing these controls, agencies can improve the effectiveness of their cybersecurity and privacy programs.

Members

NIST SP 800-53 defines the 32 members of the Program Management family. Each member of the family has a set of controls.

Control Family 14 - Personnel Security

The different policies and procedures for managing employees are covered by the Personnel Security family of controls.

Description

The Personnel Security control family includes a variety of different policies and procedures for managing employees. These controls help to ensure that only authorized personnel can securely access sensitive information and that all employees are properly screened before being granted access.

In addition, the Personnel Security control family helps to protect against insider threats by ensuring that employees are properly trained and monitored. By understanding and complying with the policies and procedures in this control family, organizations can help to safeguard their most valuable assets.

Members

NIST SP 800-53 defines the 9 members of the Personnel Security family. Each member of the family has a set of controls.

Control Family 15 - PII Processing and Transparency

The controls in the PII Processing and Transparency family help protect sensitive data by putting an emphasis on privacy and consent.

Description

The PII Processing and Transparency control family is designed to help organizations protect sensitive data by putting an emphasis on privacy and consent.

These controls help organizations to manage and delete data responsibly, and to ensure that data processing agreements are in place to protect the rights of data subjects. In addition, the control family includes a Privacy Notice control, which helps organizations to create and maintain a clear and concise privacy notice that meets the requirements of the GDPR. By implementing the PII Processing and Transparency control family, organizations can help to ensure that they are compliant with the GDPR and that they are protecting the rights of data subjects.

Members

NIST SP 800-53 defines the 8 members of the PII Processing and Transparency family. Each member of the family has a set of controls.

Control Family 16 - Risk Assessment

The Risk Assessment family of NIST 800-53 controls focuses on identifying risks within the organizations and systems.

Description

The Risk Assessment control family is focused on identifying security-risk within the organizations and systems. (ex. ransomware) This control family is significant because it helps to ensure that risks are properly identified, and mitigation strategies are put in place. The Risk Assessment control family includes controls such as security assessment and risk analysis.

These controls help to identify potential risks and assess the impact of these risks. By properly identifying and assessing risks, organizations can put in place mitigation strategies to reduce the impact of these risks. By implementing the Risk Assessment control family, organizations can safeguard themselves from potential threats.

Members

NIST SP 800-53 defines the 10 members of the Risk Assessment family. Each member of the family has a set of controls.

Control Family 17 - System and Services Acquisition

The System and Services Acquisition family of controls focuses on security controls regarding the acquisition of systems and services. Furthermore, the family contains controls regarding system development.

Description

The System and Services Acquisition control family is a set of controls that focus on security during the acquisition of systems and services. This control family contains controls that govern system development, to ensure that the systems and services comply with security standards .

This control family is significant because it helps to protect organizations from potential cyber-threats that could come from acquiring insecure systems or services. By following the controls in this family, organizations can help to ensure that they are procuring secure systems and services, which will help to protect them from potential threats.

Members

NIST SP 800-53 defines the 23 members of the System and Services Acquisition family. Each member of the family has a set of controls.

Control Family 18 - System and Communications Protection

The System and Communications Protection family of controls protects the edges of a system and makes sure that devices that work together are managed safely.

Description

The System and Communications Protection family of controls protects the edges of a system and makes sure that devices that work together are managed safely. This control family includes controls for access control, authentication, authorization, cryptography (encryption), and security labels.

These controls help to ensure that only authorized users can access systems and data, and that communications between systems are protected from interception and tampering. Implementing these controls can help to safeguard organizational assets and reduce the risk of security breaches.

Members

NIST SP 800-53 defines the 51 members of the System and Communications Protection family. This family has an enormous number of members compared to the other families.

Control Family 19 - System and Information Integrity

The System and Information Integrity family of controls focuses on keeping the integrity of the information system.

Description

The System and Information Integrity family of controls makes sure that devices that work together are confidential . This control family's security practices include Malicious Code Protection, Error Handling, and more.

These access controls help to ensure that only authorized users can access systems and data, and that communications securing information systems from interception and tampering. Secondly, the controls helps a security officer to demonstrate compliance with security policies.

Implementing these controls can help to safeguard organizational assets and reduce the risk of security breaches and system communication failures.

Members

NIST SP 800-53 defines the 23 members of the System and Information Integrity. Each member of the family has a set of controls.

Control Family 20 - Supply Chain Risk Management

The Supply Chain Risk Management family of controls includes policies and procedures to mitigate risks in the supply chain.

Description

The supply chain is a critical component of any organization, and supply chain risk management is essential to ensuring its smooth operation. The Supply Chain Risk Management (SCRM) control family includes security policy and procedures to mitigate risks in the supply chain. These risks can come from many sources, including suppliers, manufacturers, distributors, and customers.

By identifying and assessing these risks, organizations can develop plans to mitigate them. The SCRM control family helps to ensure that these risks are managed effectively and that the supply chain can continue to operate smoothly.

Members

NIST SP 800-53 defines the 12 members of the Supply Chain Risk Management. Each member of the family has a set of controls.

Targeted Industries: Healthcare providers, health plans, healthcare clearinghouses, and business associates.

Importance: Protects sensitive patient health information from being disclosed without the patient's consent or knowledge. Compliance is crucial for maintaining patient trust and avoiding significant fines.

Targeted Industries: Retail, E-commerce, hospitality, financial services, healthcare, transportation, telecommunications, Utilities, nonprofits and charities.

Importance: Banks and payment processors often require PCI-DSS compliance as a condition for establishing and maintaining business relationships. Non-compliance can result in the termination of these essential relationships. PCI-DSS provides a comprehensive framework for security best practices. Following these guidelines enhances an organization’s overall security posture, making it more resilient against various cyber threats.

Targeted Industries: Any organization looking to protect its information assets.

Importance: Provides a framework for an information security management system (ISMS), helping organizations manage the security of assets such as financial information, intellectual property, and employee details.

Targeted Industries: Any organization looking to improve quality management systems.

Importance: Ensures organizations meet customer and regulatory requirements and enhance customer satisfaction through continuous improvement.

Targeted Industries: Defense contractors and subcontractors.

Importance: CMMC is a unified cybersecurity standard for DoD contractors, aiming to ensure that sensitive defense information is protected. It combines various cybersecurity standards and best practices, and certification is required to bid on DoD contracts.

Targeted Industries: Any organization that processes the personal data of EU residents.

Importance: Protects the privacy and personal data of EU individuals. Non-compliance can result in heavy fines, making it crucial for organizations operating in or dealing with EU citizens.

Targeted Industries: Defense contractors and subcontractors.

Importance: Requires contractors to implement NIST SP 800-171 standards to protect Controlled Unclassified Information (CUI) in non-federal systems and organizations. Compliance is necessary for handling defense-related information.

Targeted Industries: Technology and cloud computing companies, service organizations.

Importance: Focuses on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Compliance assures clients that the organization is handling data securely.

Targeted Industries: Healthcare providers, health plans, healthcare clearinghouses.

Importance: Strengthens HIPAA by promoting the adoption and meaningful use of health information technology. Compliance ensures the security and privacy of electronic health records.

Targeted Industries: Healthcare, biotech, finance, and technology industries commonly require HITRUST certification.

Importance: HITRUST ensures robust data protection, compliance with regulatory standards, and builds trust in managing sensitive information.

Targeted Industries: Cloud service providers to the U.S. federal government.

Importance: Standardizes security assessment, authorization, and continuous monitoring for cloud products and services. Compliance is required to provide cloud services to federal agencies.

Targeted Industries: Defense contractors, manufacturers, exporters dealing with defense-related articles and services.

Importance: Regulates the export of defense-related articles and services to safeguard U.S. national security and foreign policy interests. Compliance is critical to avoid severe penalties and restrictions.

Targeted Industries: Federal agencies and contractors.

Importance: Requires the protection of federal information systems, mandating agencies to develop, document, and implement an information security and protection program. Compliance ensures the integrity, confidentiality, and availability of government information systems.

Targeted Industries: Publicly traded companies.

Importance: Enacted to protect investors from fraudulent financial reporting by corporations. It mandates strict reforms to improve financial disclosures and prevent accounting fraud.