Who Needs to be NIST Compliant?
In a world where security threats are at every turn, it would seem that everyone should be looking for ways to protect themselves. However, that’s not always the case. Organizations often find themselves in a fuzzy area where they believe their security is good enough, but they’re not sure because they don’t know what “good enough” means.
When it comes to government regulations, one of the most talked about is the National Institute of Standards and Technology (NIST) 800-53 [PDF]. The purpose of NIST 800-53 is to “specify security requirements for information systems supporting federal agencies.” Beyond this, NIST 800-53 provides organizations with a set of guidelines in order to improve their internal security processes.
This means that many security professionals are in support of NIST 800-53 compliance. Not only will compliance prove that an organization has at least one baseline level of security in place, but it can also help with other regulations like FISMA or ISO 27001.
How to Become Compliant
So what is the downside to NIST 800-53? There isn’t really one; except for the time and effort it takes to be compliant. The process is very complicated, but luckily there are companies out there that can help you achieve compliance in an easy, cost effective way. An IT company that specializes in security will be able to help your business with compliance, but you should always do some research before making any final decisions. They’ll help you be NIST compliant.
The NIST 800-53 “recommends” what types of security controls need to be in place in order to maintain a certain level of security. For example, if an organization wishes to have the highest level of security, you’ll be looking at something like the Control C-78: System and Services Acquisition. This control requires your monitoring team to monitor logs 24/7, 365 days a year.
NIST SP 800-171: The security control standard deals with the management of information that is classified at one of three levels (i.e., Confidential, Secret, Top Secret). This standard has been mandated for use by the U.S. Department of Defense (DoD) and other federal agencies. To achieve compliance with N
NIST SP 800-53: This standard is broken down into four categories (i.e., security, acquisition, development and organizational roles) with three levels of assurance (low, moderate, high). The first category within this standard deals with security and includes six components, three of which are required in order to be compliant (i.e., security policy, risk assessment, security training).
Compliance with NIST SP 800-53 is relevant because the security control standard has been mandated for use by U.S. federal agencies (under FIPS 200) and is required in order to obtain FedRAMP (a government cloud computing service). The compliance for all FedRAMP participants is coordinated by the General Services Administration (GSA).