Choosing NIST 800-53: Key Questions for Understanding This Critical Framework

Posted by Chad Walter on Oct 11, 2019 11:28:24 AM

So, your company is under pressure to establish a quantifiable cybersecurity foundation and you’re considering NIST 800-53. Before you make your decision, start with a series of fundamental questions:

  • What is the driver? Is it the board of directors, compliance requirements, response to a vendor risk assessment form (client or partner request of you to prove your cybersecurity posture), or a fundamental position of corporate responsibility? If there is no driver, there is no reason to invest in NIST 800-53 or any cybersecurity foundation.
  • Are you just looking to build a manageable, executable and scalable cybersecurity platform to match your business? The answer to this should always be yes.
  • Do you store or have access to critical data? Unless you’re a sole proprietor and the only employee, the answer is always “YES”.

These first three points are basic, fundamental questions to ask when deciding on any cybersecurity platform, but there is also a final question that is extremely relevant to the decision to move forward with NIST 800-53.

  • Do you handle unclassified or classified government data that could be considered sensitive? If you’re not sure, do you work with Federal Information Systems and/or Organizations? Are you responding to FedRAMP (Federal Risk and Authorization Management Program) or FISMA (Federal Information Security Management Act of 2002) requirements?

If the answer to this is “NO” and you do not handle unclassified government date, or you do not work with Federal Information Systems and/or Organizations. You may want to consider other cybersecurity compliance foundations such as the Center for Internet Security (CIS) 20 Critical Security Controls or ISO/IEC 27001. If your organization does process Controlled Unclassified Information (CUI), then you are likely obligated to implement and maintain another framework, known as NIST 800-171 for DFARS compliance. There are pros and cons to each, and they vary in complexity. The key is to find a program that best fits your business and data security requirements.

If the answer to the last point is “YES”, NIST 800-53 is likely the proper compliance foundation which, when implemented and maintained properly, will assure that you’re building upon a solid cybersecurity foundation. Of course, just deciding on NIST 800-53 (or any other cybersecurity foundation) is only the tip of the iceberg. Committing to NIST 800-53 is not without its challenges and you’ll have to consider several factors associated with implementation such as:

  • Are you planning to implement NIST 800-53 for FedRAMP or FISMA requirements? What level of NIST 800-53 (Low, Medium, High) are you planning to implement? Not knowing which is right for you can result in a lot of wasted time, energy and money.
  • What’s your timeline? Understand when you want to kick-off the project and when you want it completed.
  • What do you have now? Have you done a NIST 800-53 Compliance Readiness Assessment to review your current cybersecurity programs and how they align to NIST 800-53?
  • Resources? There are 1,600+ controls within the NIST 800-53 platform, do you have the staff required to implement? Does that staff have the experience and knowledge set to effectively assess, design and implement NIST 800-53? If you have the staff, can they dedicate the time necessary to complete the task? Is this project going to negatively affect other staff activities/responsibilities?
  • Who’s going to test and maintain the platform as business and compliance requirements change?
  • Is it in your best interest to leverage a third-party NIST 800-53 expert? Outside cybersecurity experts can provide an unbiased assessment, design, implementation and roadmap aligning your business to compliance requirements. The right partner will also recognize align your business’ unique cybersecurity initiatives with all the cybersecurity requirements your business faces such as PCI-DSS, HIPAA, State requirements, GDPR, etc… An independent cybersecurity expert is often more efficient and better connects with the “C-suite”/Board of Directors.

NIST 800-53 has its place as a cybersecurity foundation. When properly implemented and executed upon, NIST 800-53 standards not only create a solid cybersecurity posture, but also position you for greater business success.

If you have questions about NIST 800-53 or any other framework, contact our cybersecurity services team for a consultation.








Topics: Cybersecurity, Infosec, compliance