NIST stands for the National Institute of Standards and Technology and is a government-funded entity that has promulgated several different cybersecurity frameworks. There is the NIST Cybersecurity Framework (CSF) , NIST 800-53, and NIST 171. While these three frameworks share elements in common, there are some differences in structure and controls based on their specific use cases. NIST Cybersecurity Framework (CSF) is a voluntary framework that any organization can use to create a security program to manage cybersecurity risks. NIST 800-53 and NIST 800-171/CMMC 2.0 provide specific security controls and associated assessment procedures that organizations can use to protect their information systems.
The NIST Cybersecurity Framework (CSF) is the broadest of these frameworks and is meant to apply to any organization looking to build a cybersecurity program. The security controls in the framework are broken up into 5 key functions. These functions are: Identify, Protect, Detect, Respond, Recover. Identify: Identify is focused on laying the groundwork for an effective cybersecurity program. Controls in this group include conducting a risk assessment, inventorying IT assets, and creating a comprehensive risk management strategy. By identifying risks and documenting where sensitive data is stored, your organization can ensure controls are effectively implemented to protect the most critical business processes and most valuable data.
NIST 800-53 is a framework that is specifically designed to apply to U.S. Federal Government agencies. NIST 800-53 is broken down into the following families:
Access Control: These controls are focused around ensuring that only authorized users are able to access critical systems and information.
Awareness and Training: The Security Awareness and Training family of controls mandates that end-users (employees) are trained in how to properly prevent, detect, and respond to cybersecurity incidents.
Audit and Accountability: These controls are designed to provide records for auditors to understand and hold users and administrators accountable for maintaining cybersecurity.
Configuration Management: Configuration management involves configuring information systems to have optimal security. Controls include change control and security impact assessments, among others.
Contingency Planning: This family involves planning for incidents and contingencies to allow for optimal response.
Identification and Authentication: The Identification and Authentication family is designed to ensure that users are correctly authenticated when using networks or accessing sensitive data. Controls include the types of authentication to be used, encryption, and policies and procedures regarding authentication.
Incident Response: The Incident Response family focuses on ensuring processes are in place for quickly responding to and remediating incidents. Controls include incident response training, incident handling, monitoring for incidents, and incident handling, among others.
Maintenance: This family is focused on ensuring that systems are adequately maintained. Controls include timely maintenance, controlled maintenance, and nonlocal maintenance.
Media Protection: The Media Protection family involves controls that are designed to protect media, including stored media, media access, and media sanitization.
Physical and Environmental Security: Physical and Environmental Security is just as it sounds. This family of controls is less to do with cybersecurity and includes items such as disaster recovery planning, emergency power, emergency lighting, and Fire Protection.
Planning: Planning is critical for cybersecurity. Planning in NIST 800-53 involves controls around creating a system security plan, rules of behavior, and information security architecture.
Personnel Security: This family deals with security issues arising from personnel present at the facility and includes controls such as screening, termination, and policies and procedures around personnel.
Risk Assessment: This set of controls designates how a Risk Assessment should be performed, policies for performing the risk assessment, and vulnerability scanning.
Systems and Services Acquisition: These controls deal with System Development Life Cycle, Acquisition Process, and Information System Documentation, among others.
Systems and Communications Protection: These controls are designed to mitigate risks from common cyberattacks such as distributed denial of service and malware. They include encryption, segmentation, VOIP security, and others.
Systems and Information Integrity: These controls are focused on ensuring the integrity of organizational information systems. Controls include error handling, spam protection, memory protection, and fail-safe procedures, among others.
As mentioned, NIST 800-53 was built for government entities but is commonly used by financial and medical organizations. If you run a large enterprise and need a detailed standard for building a cybersecurity program, you really can’t do better. NIST 800-53 provides granular detail for each control that needs to be implemented to ensure that you have a comprehensive cybersecurity program your team can maintain.
Before we go into NIST 800-171, we should discuss exactly what constitutes Controlled Unclassified Information, or CUI. Simply put, CUI is information that is sensitive and relevant to the interests of the United States, but not strictly regulated by the Federal government.
According to the National Archives and Records Administration, the Executive Agent charged with creating and implementing standards for unclassified data and overseeing agency compliance, CUI is considered any potentially sensitive, unclassified data that requires controls in place that define its proper safeguarding or dissemination. It must be “consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.”
Each agency must create a public registry of CUI categories and subcategories for handling all sensitive, unclassified information and defining why it is considered CUI. For instance, the “Financial” category includes the subcategories of bank secrecy, budgets, contractor registration, electronic funds transfers, and mergers. All items in this category are related to the duties of financial institutions and U.S. fiscal functions. Patent-related CUI can cover applications, inventions, and security orders, and define the process of why patents are granted and some information is protected.
Both NIST 800-171 and NIST 800-53 have similar common security control objectives. However, they differ in the scope of the security requirements and the types of information that are to be protected. NIST 800-53 is more comprehensive, and its security requirements are broader, while NIST 800-171 is more focused on the protection of CUI. Also, in addition to federal agencies, NIST 800-171 affects companies where government data is shared with, even if they don’t have access to federal networks. It applies to a wide range of government contractors and subcontractors across the public sector supply chain. The requirements include all components of nonfederal systems and organizations that process, store, or transmit CUI, or provide protections for these components. NIST 800-53 is the basis for the controls found in NIST 800-171 and CMMC 2.0, and NIST 800-171/CMMC 2.0 contains 14 of the 800-53 domains as outlined below. Note that there is a 100% overlap between the security families/domains, controls, and objectives in NIST 800-171 and CMMC 2.0 Level 2. One of the biggest differences between NIST 800-171 and CMMC 2.0 Level 2, is that NIST 800-171 is a self-assessment, whereas CMMC requires third-party assessment and certification by a CCMC-AB approved C3PAO.
Access Control: These controls are focused around ensuring that only authorized users are able to access critical systems and information.
Awareness and Training: The Security Awareness and Training family of controls mandate that end-users (employees) are trained in how to properly prevent, detect, and respond to cybersecurity incidents.
Audit and Accountability: These controls are designed to provide records for auditors to understand and hold users and administrators accountable for maintaining cybersecurity.
Configuration Management: Configuration management involves configuring information systems to have optimal security. Controls include change control and security impact assessments among others.
Contingency Planning: This family involves planning for incidents and contingencies to allow for optimal response.
Identification and Authentication: The Identification and Authentication family is designed to ensure that users are correctly authenticated when using networks or accessing sensitive data. Controls include the types of authentication to be used, encryption, and policies and procedures regarding authentication.
Incident Response: The Incident Response family focuses on ensuring processes are in place for quickly responding to and remediating incidents. Controls include incident response training, incident handling, monitoring for incidents, and incident handling, among others.
Maintenance: This family is focused on ensuring that systems are adequately maintained. Controls include timely maintenance, controlled maintenance, and nonlocal maintenance.
Media Protection: The Media Protection family involves controls that are designed to protect media, including stored media, media access, and media sanitization.
Physical and Environmental Security: Physical and Environmental Security is just as it sounds. This family of controls is less to do with cybersecurity and includes items such as disaster recovery planning, emergency power, emergency lighting, and Fire Protection.
Personnel Security: This family deals with security issues arising from personnel present at the facility and includes controls such as screening, termination, and policies and procedures around personnel.
Risk Assessment: This set of controls designates how a Risk Assessment should be performed, policies for performing the risk assessment, and vulnerability scanning.
Systems and Communications Protection: These controls are designed to mitigate risks from common cyberattacks such as distributed denial of service and malware. They include encryption, segmentation, VOIP security, and others.
Systems and Information Integrity: These controls are focused on ensuring the integrity of organizational information systems. Controls include error handling, spam protection, memory protection, and fail-safe procedures, among others.
Contact Sales : info@celerium.com
USA & Rest of World: +1 804 744 9630
