NIST 800-53

Last Updated: May 21, 2020

Definition - What does NIST 800-53 mean?

A project of the National Institute of Standards and Technology (NIST), NIST 800-53 is a comprehensive set of data controls for government offices.

The NIST 800-53 standard applies to all federal data except federal data which impacts national security. In other other words, it's the "non-security sensitive" standard for government.

Critical to the build of the NIST 800-53 is a three-part set of controls for three categories of data:

  • Low-impact
  • Medium-impact
  • High-impact

Within those three categories, NIST 800-53 includes many dozens of individual control components. Some of them relate to monitoring requirements and processes such as auditing, while others involve input on contingency planning and incident monitoring and more.

The comprehensive set of controls treats all sorts of aspects of cybersecurity and data hygiene, from threat analysis to pre-emptive strategies like encryption.

NIST 800-53 is also known as NIST Special Publication 800-53.

Techopedia explains NIST 800-53

NIST 800-53 also includes environmental safety concerns, such as controls on fire protection, although the vast majority of the controls have to do with protecting digital data and using universal best practices and protocols to avoid leaks of digital data.

Another key thing that's written into NIST 800-53 is a set of controls for remote and wireless access. This type of guideline is going to be critically important in the coronavirus pandemic era, as workforce operations quickly move online, and businesses navigate toward virtual networking systems.

Some of the controls in NIST 800-53, for example, will be highly applicable to Bring Your Own Device (BYOD) situations where a government worker’s personal device may store sensitive government data or contain gateways to that sensitive government data. Some of the controls will also help to maintain cybersecurity standards as Internet-connected devices proliferate quickly in the “Internet of Things” (IoT) era.

Another way to understand NIST 800-53 is to contrast it with a more recent development called NIST Cybersecurity Framework or NIST-CSF.

Federal guidelines show that NIST-CSF does not replace NIST 800-53, but instead provides additional coverage of comprehensive data security. For instance, five core functions making up the NIST-CSF framework, (identify, detect, protect, respond and recover,) are a semantic way to group many of the standards inherent in NIST 800-53, to reveal more of the bird’s-eye view of why these bundles of rules and protocols are in place.

Categories and sub-categories in both the NIST-CSF and NIST 800-53 standards take a “people, processes and assets” approach to cybersecurity controls and analysis, looking at items like asset management, the work of collaborating stakeholders, and more.

The NIST-CSF also provides four “tiers” of cybersecurity success:

  • Partial
  • Risk-informed
  • Repeatable
  • Adaptable

These four tiers can help to further assess levels of success for applied frameworks.

“You can use the NIST CSF to benchmark your current security posture,” writes an analyst at Cipher, describing related use of the framework. “Going through each category and subcategories in the core function can help you determine where you stand on the NIST CSF Tier scale.”

In summary, NIST 800-53 helps users to document and evaluate their cybersecurity compliance, and can be useful in legal procedures. The NIST-CSF builds on this utility in combination with the original specifications in the still-relevant NIST 800-53 resource.

Share this: