Skip to main content

NIST Special Publication 800-53 AI breakdown

NIST Security Controls Implementation Guide (Excerpt)

This response includes an excerpt of key NIST security controls from SP 800-53 with practical implementation guidance. For a comprehensive list, refer to the full publication:

Access Control (AC)

  • AC-1: Information System Access | Limit access based on need-to-know and least privilege principles using access control lists or role-based access controls.
  • AC-2: Identification and Authentication | Implement multifactor authentication for all users, especially administrators; regularly review and update authentication methods.

Audit and Accountability (AU)

  • AU-1: Audit Events | Configure audit logs to record security-relevant events. Define a retention period and secure log storage location.
  • AU-2: Audit Retention | Store audit records for a sufficient duration based on legal, regulatory, or organizational requirements.
  • AU-3: Audit Record Content | Log detailed information about security-related events, including timestamps, user identifiers, actions performed, and affected system components.

Configuration Management (CA)

  • CA-1: Change Control | Develop procedures for managing changes to systems, applications, or configurations; include impact assessments and testing requirements.
  • CA-2: Configuration Management Plan | Establish a configuration management plan with standardized baselines, change control processes, and monitoring mechanisms.

Media Protection (MA)

  • MA-1: Data Sanitization | Implement procedures for securely removing data from media upon end of use or disposal to prevent unauthorized access.
  • MA-2: Physical Media Protection | Store removable media in secure locations and limit physical access based on need-to-know principles.
  • MA-3: Transmission Protection | Encrypt sensitive data transmitted over networks, especially when leaving the organization's environment.
  • MA-4: Removable Media Protection | Encrypt and securely store sensitive information on removable media; restrict access to authorized personnel only.

Personnel Security (PS)

  • PS-1: Background Investigations | Conduct thorough background investigations for employees and contractors with system access privileges.
  • PS-2: Personnel Screening | Implement ongoing monitoring of security clearances, including periodic reinvestigation as needed.
  • PS-3: Security Education and Training | Provide regular training on information security policies, best practices, and risks associated with personnel activities.
  • PS-4: Separation of Duties | Ensure critical tasks are divided among multiple individuals to prevent misuse or unauthorized actions.
  • PS-5: Information System Access Monitoring | Monitor user activity for detecting anomalous behavior indicating potential security incidents.
  • PS-6: Workforce and Mobile Device Security | Implement policies and procedures to secure workstations, laptops, mobile devices used by personnel accessing sensitive information.
  • PS-7: Personnel Screening | Conduct comprehensive background checks for employees and contractors with access to critical systems or data.
  • PS-8: Continuous Monitoring | Establish ongoing monitoring of personnel activities, system configurations, and security events for early detection of anomalies.

System Maintenance (SI)

  • SI-1: Incident Response Plan | Develop detailed incident response plans, including roles, responsibilities, communication protocols, and recovery procedures.
  • SI-2: Information Security Continuous Monitoring | Implement ongoing monitoring to assess system vulnerabilities, detect security events, and ensure compliance with security policies.
  • SI-3: System Updates | Regularly apply software updates and patches to systems based on vendor recommendations or security advisories.
  • SI-4: Maintenance Schedule | Establish a maintenance schedule that includes routine checks, testing, and system upgrades to support evolving security requirements.
  • SI-5: Information Security Risk Assessments | Conduct periodic risk assessments to identify potential vulnerabilities and prioritize remediation efforts based on risk levels.
  • SI-6: System Maintenance | Regularly update software, apply patches, monitor system performance, and conduct security audits following established schedules and procedures.

System Development (SC)

  • SC-1: Security Planning | Incorporate security planning into the system development lifecycle, considering threats, vulnerabilities, and potential impacts.
  • SC-2: System Design Documentation | Prepare detailed documentation of secure design principles and components, including architecture diagrams, threat models, and countermeasures.
  • SC-3: Information Input Validation | Validate and sanitize input data at multiple layers (system, application, network) to prevent injection attacks or other untrusted data exploits.
  • SC-4: Data Sanitization | Securely remove data from systems and media upon end of use or disposal using approved techniques such as cryptographic erasure or degaussing.
  • SC-5: Information System Security Assessment | Perform comprehensive security assessments (including penetration tests) to identify vulnerabilities and validate implemented countermeasures.
  • SC-6: Test Security Functions | Validate the functionality of security controls through regular testing, including simulated attacks or adversarial simulations.
  • SC-7: Software Integrity | Protect software components using digital signatures, checksums, and other mechanisms to prevent unauthorized modifications.
  • SC-8: Network Segmentation | Implement network segmentation to isolate critical systems, reduce attack surfaces, and limit lateral movement by potential threat actors.
  • SC-9: Non-Broadcast Distribution | Use secure channels or protocols for distributing sensitive information within internal networks, avoiding unprotected broadcast mechanisms.
  • SC-10: Network Traffic Encryption | Encrypt network traffic, especially when transmitting sensitive data between systems or across public networks.
  • SC-11: Wireless Access Control | Implement strong controls around wireless access, including authentication, encryption, and user authorization for wireless network access points.
  • SC-12: Wireless Device Management | Manage the lifecycle of wireless devices (including mobile phones, laptops) with encryption, remote wipe capabilities, and access restrictions based on need-to-know.
  • SC-13: Mobile Device Security | Secure mobile computing devices through strong authentication, encrypted storage, and application controls to protect sensitive data.
  • SC-14: Wireless Access Points | Deploy wireless access points securely with strong authentication, encryption, and limited physical access for management consoles.
  • SC-16: Network Encryption | Encrypt all network traffic, especially when transmitting sensitive data outside secure facilities.
  • SC-28: Information Input Validation | Implement robust input validation mechanisms to prevent injection attacks (SQL, command, etc.) by sanitizing and verifying user inputs against predefined rules.
  • SC-30: Security Testing | Conduct regular security testing throughout the system development lifecycle, including unit tests, integration tests, penetration tests, and red team exercises.

System and Services Acquisition (SA)

  • SA-1: Risk Management for Contractors | Incorporate information security risk management practices in contractor agreements to ensure ongoing compliance with organizational policies and regulatory requirements during system development or acquisition processes.
  • SA-2: Security Assessment of Third-Party Products/Services | Evaluate the security of third-party products or services before integration into your environment using formal assessment methodologies and reputable certification programs.
  • SA-3: Contract Language for Information System Security | Include detailed information security requirements in contract language to ensure vendors understand and adhere to established security standards during product development or service delivery.
  • SA-4: Contractor Personnel Security | Ensure contractors follow organizational security policies, undergo necessary background checks, and receive appropriate training to maintain secure handling of sensitive data and systems.

System and Communications Protection (SP)

  • SP-1: Media Protection | Secure media used for the storage and transmission of information with encryption and physical protection measures against unauthorized access or tampering.
  • SP-2: Information in Transit Protection | Implement strong cryptographic protocols to protect data while it is transmitted over networks, especially when leaving the organization's environment.
  • SP-3: Information in Process Protection | Safeguard information during processing within computing systems using encryption and access controls that limit exposure based on least privilege principles.
  • SP-4: Wireless Security | Implement secure configurations for wireless devices and networks to protect against eavesdropping, unauthorized access, or data leakage.
  • SP-5: Public Key Infrastructure (PKI) Protection | Protect PKI components from compromise through strong authentication mechanisms, regular audits, and secure storage practices.

System and Communications Protection (SC)

  • SC-7: Network Segmentation | Divide networks into smaller segments to isolate critical systems and limit the attack surface by restricting lateral movement between network zones.
  • SC-8: Non-Broadcast Distribution | Employ secure data transmission methods that avoid broadcast mechanisms, such as unicast or multicast protocols for sensitive information exchange within internal networks.
  • SC-10: Network Traffic Encryption | Encrypt all network traffic, especially when transmitting sensitive data outside secure facilities to prevent eavesdropping and interception by adversaries.
  • SC-24: Communication Authentication | Implement strong authentication mechanisms between communicating systems to verify their identities and prevent man-in-the-middle attacks or impersonation attempts.

Personnel Security (PS)

  • PS-1: Background Investigations | Conduct comprehensive background checks on employees and contractors with access to critical information systems, ensuring they meet organizational standards for trustworthiness.
  • PS-2: Personnel Screening | Implement continuous monitoring of security clearances, including periodic reinvestigation as needed to ensure ongoing eligibility based on updated investigative findings or changed circumstances.
  • PS-3: Security Education and Training | Provide regular information security awareness training for employees to enhance their understanding of threats, best practices, and organizational policies that affect their roles.
  • PS-4: Separation of Duties | Implement job role definitions and access controls that enforce separation of duties principle, preventing any single individual from possessing the ability to perform critical security-impacting activities without oversight or approval.
  • PS-5: Information System Access Monitoring | Monitor user activity within information systems for detecting anomalous behavior indicative of potential insider threats or unauthorized access attempts.
  • PS-6: Workforce and Mobile Device Security | Develop policies and procedures to secure workstations, laptops, and mobile devices used by employees accessing sensitive information, including encryption, password protections, and physical safeguards against theft or loss.
  • PS-7: Personnel Screening | Conduct thorough background checks on all personnel with access to critical systems or data, verifying their credentials, references, and eligibility for assigned security clearances as required by organizational policies and regulatory standards.
  • PS-8: Continuous Monitoring | Implement ongoing surveillance of personnel activities, system configurations, and security events to identify emerging threats or deviations from established security baselines proactively.

Incident Response (IR)

  • IR-1: Planning for Information Systems Incidents | Develop a comprehensive incident response plan detailing roles, responsibilities, communication protocols, and recovery procedures specific to various types of cybersecurity events affecting information systems.
  • IR-2: Security Assessments of Incident Response Capabilities | Regularly test the effectiveness of incident response plans through exercises or simulations that cover different scenarios and potential vulnerabilities in organizational preparedness and response capabilities.
  • IR-3: Security Assessment of Incident Handling Procedures | Evaluate the thoroughness of procedures for documenting, investigating, and responding to security incidents to ensure they meet regulatory requirements and best practices for effective incident management.
  • IR-4: Incident Response Team Training and Exercises | Provide regular training sessions for incident response teams to enhance their skills in threat detection, containment, eradication, recovery, and post-incident analysis, supplemented by periodic simulations of realistic cybersecurity events to validate readiness and identify improvement areas.
  • IR-5: Information System Incidents | Develop procedures for detecting, reporting, and responding to security incidents affecting information systems, including escalation paths and communication strategies for various stakeholders involved in managing the event.
  • IR-6: Media Protection During Incident Response | Implement measures to safeguard sensitive media (physical or digital) during the course of an incident response effort, ensuring data integrity, confidentiality, and availability while preventing unauthorized access or tampering by malicious actors or inadvertent disclosures.
  • IR-7: Media Sanitization | Establish protocols for securely removing data from media used during incident response activities, following industry best practices such as cryptographic erasure techniques to ensure information cannot be recovered by unauthorized parties subsequently gaining access to the storage devices.
Back to top