Margaret Rouse is an award-winning technical writer and teacher known for her ability to explain complex technical subjects simply to a non-technical, business audience. Over…
A project of the National Institute of Standards and Technology (NIST), NIST 800-53 is a comprehensive set of data controls for government offices.
The NIST 800-53 standard applies to all federal data except federal data which impacts national security. In other other words, it's the "non-security sensitive" standard for government.
Critical to the build of the NIST 800-53 is a three-part set of controls for three categories of data:
Within those three categories, NIST 800-53 includes many dozens of individual control components. Some of them relate to monitoring requirements and processes such as auditing, while others involve input on contingency planning and incident monitoring and more.
The comprehensive set of controls treats all sorts of aspects of cybersecurity and data hygiene, from threat analysis to pre-emptive strategies like encryption.
NIST 800-53 is also known as NIST Special Publication 800-53.
NIST 800-53 also includes environmental safety concerns, such as controls on fire protection, although the vast majority of the controls have to do with protecting digital data and using universal best practices and protocols to avoid leaks of digital data.
Another key thing that's written into NIST 800-53 is a set of controls for remote and wireless access. This type of guideline is going to be critically important in the coronavirus pandemic era, as workforce operations quickly move online, and businesses navigate toward virtual networking systems.
Some of the controls in NIST 800-53, for example, will be highly applicable to Bring Your Own Device (BYOD) situations where a government worker’s personal device may store sensitive government data or contain gateways to that sensitive government data. Some of the controls will also help to maintain cybersecurity standards as Internet-connected devices proliferate quickly in the “Internet of Things” (IoT) era.
Another way to understand NIST 800-53 is to contrast it with a more recent development called NIST Cybersecurity Framework or NIST-CSF.
Federal guidelines show that NIST-CSF does not replace NIST 800-53, but instead provides additional coverage of comprehensive data security. For instance, five core functions making up the NIST-CSF framework, (identify, detect, protect, respond and recover,) are a semantic way to group many of the standards inherent in NIST 800-53, to reveal more of the bird’s-eye view of why these bundles of rules and protocols are in place.
Categories and sub-categories in both the NIST-CSF and NIST 800-53 standards take a “people, processes and assets” approach to cybersecurity controls and analysis, looking at items like asset management, the work of collaborating stakeholders, and more.
The NIST-CSF also provides four “tiers” of cybersecurity success:
These four tiers can help to further assess levels of success for applied frameworks.
“You can use the NIST CSF to benchmark your current security posture,” writes an analyst at Cipher, describing related use of the framework. “Going through each category and subcategories in the core function can help you determine where you stand on the NIST CSF Tier scale.”
In summary, NIST 800-53 helps users to document and evaluate their cybersecurity compliance, and can be useful in legal procedures. The NIST-CSF builds on this utility in combination with the original specifications in the still-relevant NIST 800-53 resource.
Techopedia’s editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.
What is Differential Privacy? Differential privacy is a mathematical framework for determining a quantifiable and adjustable level of privacy protection....
Margaret RouseTechnology Expert
What are Tactics, Techniques, and Procedures (TTPs)? Tactics, techniques, and procedures (TTPs) are the strategic plans, methodologies, and actions an...
What is a Security Posture? Security posture definition refers to the ability an organization has to protect its information technology...
Trending NewsLatest GuidesReviewsTerm of the Day