The NIST SP 800-53 Assessment: What It Is and Why It Matters
In this series, we’ll explore the leading industry standards, frameworks, and questionnaires that are relevant to third-party risk management. In this post, we’ll be discussing the NIST 800-53 assessment.
Who Developed NIST SP 800-53?
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce and has the mission to foster innovation and competitiveness “by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
What is the NIST SP 800-53 Standard?
NIST Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations – outlines security and privacy controls for federal information systems and organizations. These controls are broken down into 18 families , which include:
- AC – Access Control
- AU – Audit and Accountability
- AT – Awareness and Training
- CM – Configuration Management
- CP – Contingency Planning
- IA – Identification and Authentication
- IR – Incident Response
- MA – Maintenance
- MP – Media Protection
- PS – Personnel Security
- PE – Physical and Environmental Protection
- PL – Planning
- PM – Program Management
- RA – Risk Assessment
- CA – Security Assessment and Authorization
- SC – System and Communications Protection
- SI – System and Information Integrity
- SA – System and Services Acquisition
Depending on the level of potential impact, the baseline controls necessary to meet security and privacy requirements will vary. As outlined in Federal Information Processing Standards (FIPS) Publication 199, there are three levels of potential impact on organizational operations, organizational assets, or individuals based on a loss of confidentiality, integrity, and availability.
- Low-Impact: limited adverse effect
- Medium-Impact: serious adverse effect
- High-Impact: severe or catastrophic adverse effect
Who Uses the NIST SP 800-53 Assessment?
Although NIST SP 800-53 Revision 4 outlines security and privacy controls for the U.S. federal government, the standard is heavily relied on throughout the business community. Many private sector organizations assess their third parties against the NIST 800-53 controls. In fact, NIST SP 800-53 Revision 5: “Security and Privacy Controls for Information Systems and Organizations,” which is currently in its final draft, will likely have a broader applicability to private sector organizations.
Many organizations also follow NIST guidance to build effective assessment plans.
How Can I Use a Cyber Risk Exchange to Assess My Third Parties Against NIST 800-53?
The OneTrust Vendorpedia Cyber Risk Exchange is a community of shared vendor risk assessments, as well as security and privacy research on 60,000+ third parties. Through the exchange, your team can request access to completed NIST 800-53 assessments (along with other leading-industry standards).
Want to try it out? We’re offering an extended free trial that includes access to 10 free and completed NIST 800-53 vendor risk assessments, as well as other leading-industry standards.