The NIST SP 800-53 Assessment: What It Is and Why It Matters

BLOG 2 MINS | July 22, 2020
The NIST SP 800-53 Assessment: What It Is and Why It Matters

In this series, we’ll explore the leading industry standards, frameworks, and questionnaires that are relevant to third-party risk management. In this post, we’ll be discussing the NIST 800-53 assessment.

Who Developed NIST SP 800-53?

The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce and has the mission to foster innovation and competitiveness “by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

What is the NIST SP 800-53 Standard?

NIST Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations – outlines security and privacy controls for federal information systems and organizations. These controls are broken down into 18 families , which include:

Depending on the level of potential impact, the baseline controls necessary to meet security and privacy requirements will vary. As outlined in Federal Information Processing Standards (FIPS) Publication 199, there are three levels of potential impact on organizational operations, organizational assets, or individuals based on a loss of confidentiality, integrity, and availability.

Who Uses the NIST SP 800-53 Assessment?

Although NIST SP 800-53 Revision 4 outlines security and privacy controls for the U.S. federal government, the standard is heavily relied on throughout the business community. Many private sector organizations assess their third parties against the NIST 800-53 controls. In fact, NIST SP 800-53 Revision 5: “Security and Privacy Controls for Information Systems and Organizations,” which is currently in its final draft, will likely have a broader applicability to private sector organizations.

Many organizations also follow NIST guidance to build effective assessment plans.

How Can I Use a Cyber Risk Exchange to Assess My Third Parties Against NIST 800-53?

The OneTrust Vendorpedia Cyber Risk Exchange is a community of shared vendor risk assessments, as well as security and privacy research on 60,000+ third parties. Through the exchange, your team can request access to completed NIST 800-53 assessments (along with other leading-industry standards).

Want to try it out? We’re offering an extended free trial that includes access to 10 free and completed NIST 800-53 vendor risk assessments, as well as other leading-industry standards.

Onetrust All Rights Reserved