SP 800-53rev5 Document Deep Dive

The National Institute of Standards and Technology Special Publication SP 800-53rev5: Security and Privacy Controls for Information Systems and Organizations

A Policy, Technology, and Sector-Neutral Control Catalog

Security and Privacy Controls can be incredibly helpful to an organization looking to leverage a standardized approach to the protection of information as it is stored, processed or transmitted on an Information System (or System). “Controls can also be very helpful for managing individual privacy risks”. The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53r5: “Security and Privacy Controls for Information Systems and Organizations” is a catalog of Controls, which are safeguards or countermeasures available for an organization to implement. Controls break down to two types, Security and Privacy. 

Table 1: Security and Privacy Controls Definitions

Source: NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations

The Catalog is comprehensive, and at times can seem overwhelming, especially if you are new to the world of NIST. Understanding how to select or implement selected controls from this catalog is a foundational knowledge base as numerous other frameworks, security requirements and special publications reference the SP 800-53 catalog. The Cybersecurity Framework 2.0 and the NIST SP 800-171 both correlate to controls from the SP 800-53 catalog. The RMF Uses SP 800-53 controls explicitly.

Fortunately, the SP 800-53 special publication provides great high-level detail in the Abstract, Introduction and Purpose and Applicability sections. The Keywords section is also of note as the arena of NIST has defined terms, and it is usually beneficial to mind those terms and align to them when applicable and practical. 

A Well-Defined Structure

Before implementing Controls, it is important to understand the structure of them. Controls are organized into 20 families, “each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., PS for Personnel Security).” 

Table 2: Security and Privacy Control Families

Source: NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations

For every control, there is a lot of information, and it is purposeful and useful. The section titled Control Structure and Organization (not to be confused with “the organization”) gives full explanations of all elements in a control. Security and privacy controls have the following structure: a base control section, a discussion section, a related controls section, a control enhancements section, and a references section.

A key concept to understand is how the controls are numbered and ordered; the ordering “…does not imply any logical progression, level of prioritization or importance, or order in which the controls or control enhancements are to be implemented. Rather, it reflects the order in which they were included in the catalog.” Sometimes controls are withdrawn as revisions to the catalog are made over time, in those instances withdrawn control or control enhancements will still “occupy” the same position in the sequence but will state withdrawn and in most cases which control its safeguard or countermeasure has been incorporated into (see figure 3). 

One technique that might be helpful to keep in mind when reading controls is to identify the verbs, the action words. Controls can include administrative, technical, and physical aspects. Identifying the verbs in a control could be a helpful approach when trying to understand the appropriate administrative, technical or physical action (safeguard or mechanism) in a given scenario. 

Figure 1: Identifying the “actions” in a control

Source: NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations

Dissecting a Control

The ever-informative Control Structure and Organization section of chapter two examines the structure of the AU-4 control and follows with a comprehensive breakdown of all of the elements in a control, reading it is strongly advised. For this document, a different control will be examined, SI-2: Flaw Remediation. 

Figure 2: SI-2: Flaw Remediation

Source: NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations

Examining SI-2 from the System and Information Integrity family. The Control Name is Flaw Remediation, another term for it might be Patch Management. The Control Identifier is SI-2, it is the Base Control and has five Control Enhancements with one Withdrawn Control Enhancement. A Control Enhancement may be treated as its own control.  

There are Organizational Defined Parameters that are values for frequencies or time periods, standards or thresholds, etc. “For some controls, additional flexibility is provided by allowing organizations to define specific values for designated parameters associated with the controls. There is a Discussion Section (formerly “Supplemental Guidance) which is incredibly useful and, in many cases, may be the most informative part of the control. “Organizations can use the information as needed when developing, tailoring, implementing, assessing, or monitoring controls.”

Figure 3: Control Dissection

F 3: Control Dissection

Source: NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations

Other elements inside of the control are Related Controls and References which are sources or information related to the control. The SI-2 control and its enhancements, when implemented provide a number of safeguards pertaining to Flaw Remediation. If in a scenario where you are tasked to implement SI-2 and any of its enhancements, you might also dig further into the references and see that one of the references listed is the SP 800-40. Being a critical component of preventive maintenance, Patch Management has its own Special Publication, the NIST SP 800-40r4: Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. Not every control has a related special publication, some references are websites, applicable laws and standards, some controls have no references, and, in those instances, those controls are usually self-explanatory.

Policy and Procedures

In 19 of 20 families of controls, the very first control of the family is the control for Policy and Procedures (PM-1 calls for a Plan rather than a Policy and Procedures). The intent is clear: Develop, Document and Disseminate your policies and procedures (or plan) for your security and privacy controls. The Discussion section for every Policy and Procedure control elaborates on some key points when developing these policies and procedures:

• The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.
• Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed.
• Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure.

Some organizations have control baselines well into the hundreds of controls. A comprehensive set of policies and procedures is critical to an effective control implementation approach. The control from the planning family, PL-2: System Security and Privacy Plans, comes into play here and is often a foundational control for the composition and organization of these policies and procedures. It is important to see these policies and procedures, as well as these controls, as a way to achieve an outcome, required or not. Good documentation can be useful for all types of individuals throughout an organization.

Figure 4: The AC-1 Control

Source: NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations

Implementing Security and Privacy Controls

Security or Privacy Control cannot control unless implemented. Preparation, system categorization and control selection are key, but safeguards are not actually in place until control implementation. The SP 800-53 has a full section titled “Control Implementation Approaches” which can be helpful. 

In a scenario where an organization has a baseline of selected security controls to implement, it might be appropriate to first conduct a self-assessment against that baseline. The NIST, leaving no stone unturned, has a specific control for this process: CA-2: Control Assessments. There is also a complete accompanying assessors guide for the SP 800-53, the SP 800-53Ar5: Assessing Security and Privacy Controls in Information Systems and Organizations. SP 800-53A can also be helpful in the implementation phase as it looks at the controls from the assessor’s perspective (it is also a listed reference in CA-2.) 

Figure 5: The CA-2 Control

Source: NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations

After control assessments, you might find that you have many controls already implemented, or you might find a fair number of gaps, the Controls chapter (or its content in other formats) will likely be the “go-to” chapter in this publication from there. The Controls chapter lists all Controls in all of the families, this is the “catalog” part of the publication. Generally, there are three ways to implement a control; with technical configurations or settings, through administrative policy or by physical means. In many cases a control has elements from multiple aspects. Pre-maturely implementing controls should and can be avoided by doing a proper assessment, think how a good carpenter measures (twice) before they cut.

Need help Implementing Security or Privacy Controls, conducting a Self-Assessment or developing a System Security Plan? Contact us.

References and Notes:
The NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Download the
revision 5 here: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
1. NIST Glossary of Terms: Information System: https://csrc.nist.gov/glossary/term/information_system 
2. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Introduction.
3. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Introduction.
4. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Relationship to Other Publications.
5. CA represents the Assessment, Authorization, and Monitoring family. This stems from the revision 2 of the catalog where CA was the Certification, Accreditation, and Security Assessments family: https://csrc.nist.gov/pubs/sp/800/53/r2/final 
6. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Control Structure and Organization.
7. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Control Structure and Organization.
8. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Introduction.
9. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Control Structure and Organization.
10. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Control Structure and Organization.
11. NIST SP 800-53r4: Security and Privacy Controls for Federal Information Systems and Organizations (superseded):
https://csrc.nist.gov/pubs/sp/800/53/r4/upd3/final 
12. NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations: Control Structure and Organization.
13. NIST SP 800-40r4: Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology:
https://csrc.nist.gov/pubs/sp/800/40/r4/final 
14. NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1: “The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.’”: https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf
15. At the time of this writing, there is a slight conflict with the definition of System Security Plan and the intent of the PL-2 control. The SP 800-53 definition (and other NIST definitions) are worded to say, “a formal document,” where the Discussion section of the PL-2 control states. “The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents…” Seemingly trivial, still potentially impactful inside of processes that rely on defined terms: https://csrc.nist.gov/glossary/term/system_security_plan