NIST is the National Institute of Standards and Technology from the U.S. that has been in operation for more than a century, supporting a multiplicity of science-based products and services. Within NIST is the Information Technology Laboratory (ITL), and linked to it is the National Vulnerability Database (NVD), where the NIST Special Publication 800-53 (Rev. 4) appears.
The NIST SP 800-53, a database related to security and privacy controls for federal information systems and organizations, serves as a guide for security policies and the protection of private information of both agencies and citizens against cyberattacks, errors and disasters. It provides administrative, operational and technical controls for developing secure IT systems and maintaining the availability, integrity and confidentiality of information assets. The NIST SP 800-53, which applies to any system storing, processing or transmitting federal data, is divided into three Minimum Security Controls (High, Moderate and Low-Impact Baseline) that apply to the following 18 Control Families, each one with the corresponding and variable security controls (follow the links below):
AC - Access Control
CP - Contingency Planning
IR - Incident Response
MA - Maintenance
MP - Media Protection
PL - Planning
PM - Program Management
PS - Personnel Security
RA - Risk Assessment
It is relevant to mention that in September 2020 a final version of the NIST SP 800-53 (Rev. 5) was completed, which eliminated the word ‘federal’ from the title, changing it to ‘Security and Privacy Controls for Information Systems and Organizations’, thus indicating that it is not limited to federal agencies and can serve as a guide for any organization for the compliance of multiple security standards. In this revision there are now 20 Control Families, with the CA now called ‘Assessment, Authorization and Monitoring’, and the new ones ‘PT - PII Processing and Transparency’ and ‘SR - Supply Chain Risk Management’.
The NIST 800-53 is not a regulation but a standard of best practices in security and privacy, so there are no penalties or fines for non-compliance. The official documents by NIST can be quite useful for organizations, providing them with guidance according to their security objectives and including suggested practices for data protection and breach avoidance, such as:
Identification of all sensitive information used, users and access permissions.
Removal of inactive users.
Monitoring of suspicious activity and potential threats.
Detection and remediation of security vulnerabilities in the systems.
Ensuring compliance with up-to-date security standards may become a complicated issue for diverse organizations that use continually evolving information technology for their businesses. Fluid Attacks recognizes this and offers you comprehensive testing and analysis to determine whether your company is effectively complying with all corresponding security requirements.
Although Fluid Attacks’ Continuous Hacking service goes beyond the NIST 800-53, testing around 200 technical security requirements in each of your projects, we can guarantee the detection of all vulnerabilities in your software associated with this standard. In addition, we provide you with reliable reports so that your team can take the necessary steps to adjust and maintain your information systems in line with such requirements.
All our security testing is based on Rules, which is a set of security requirements written by us in a comprehensible manner, using several international standards as a reference. It allows you to parameterize the assessments we make to your systems and determine what your company agrees to comply with and what would be considered a vulnerability.