NIST 800-53

What is the goal of NIST-53:

The goal of the security and privacy standard is threefold:

1. To provide a comprehensive and flexible catalog of controls for current and future protection based on changing technology and threats
2. To develop a foundation for assessing techniques and processes for determining control effectiveness
3. To improve communication across organizations via a common lexicon for discussion of risk management concepts

Who must comply with NIST 800-53:

The standard is mandatory for federal information systems, organizations and agencies. Any organization that works with the federal government is also required to comply with NIST 800-53 to maintain the relationship.

Who must comply with NIST 800-53:

While the standard does not provide a list of specific information types, it does offer recommendations for classifying the types of data your organization creates, stores and transmits. For example, one classification might be “protected”; this data could include customer names, birth dates and Social Security numbers.

NIST 800-53 Security Controls

NIST 800-53 offers a catalog of 20 families of security and privacy controls and guidance for selection. Each organization should choose controls based on the protection requirements of its various content types. This requires a careful risk assessment and analysis of the impact of incidents on different data and information systems. FIPS 199 defines three impact levels:

Low

Loss would have limited adverse impact.

Moderate

Loss would have a serious adverse impact.

High

Loss would have a catastrophic impact.