IT Security Blog | Rivial Security

NIST Special Publication (SP) 800 Series | Rivial Security

Written by Randy Lindberg | 27 Jan 2021

Financial data is continuously at risk of theft from external cyber threats. These threats have the potential to cost financial institutions like banks and credit unions millions of dollars in damages. The persistence of these threats remains an issue to those within the computer security domain. Security managers and executives need guidance on how to manage information systems under their purview and address these threats as they develop. Enter the NIST 800.

 

The NIST 800 series is a technical standard set of publications that details U.S. government procedures, policies, and guidelines on information systems - developed by the National Institute of Standards and Technology. This non-regulatory agency assists agencies by supplying information to aid in information systems governance.

 

Application of the NIST 800 Series

While they may not hold any data regarding that particular aspect, specific criteria must be met when it comes to computer network security. The NIST 800 publications provide a baseline on how government and private organizations should administer their network security posture, including their security policies.

 

Individual publications related to the series tie into different aspects of the cyber defense domain. Even though private organizations aren't necessarily aware this particular series exists in the first place, they already implement many of the standards contained therein as part of their business practices. Details contained in the NIST 800 references include, but are not limited to:

 

- Protecting controlled unclassified information

- Developing a cybersecurity workforce, etc

- Email cryptography and protection

 

These references continue to evolve today as information technology changes frequently as well.

 

NIST 800-53

NIST 800-53 is a unique publication that contains an index of privacy and security controls to information systems except for networks that handle national security. The publication underwent several revisions over the past three decades due to NIST's partnership with the Department of Defense, civil and intelligence agencies. The latest iteration of this publication is Revision 5, which covers some of the following:

 

  • Privacy controls being fully integrated with security controls, creating a unified standard of controls for organizations and networked systems
  • Eliminating the term 'information system' and applying the word 'system,' meaning that the controls can be used to any system that deals with data: such as industrial systems, IoT devices, cyber-physical systems, and so forth
  • Tying in new practice controls based on attacks gathered by empirical data and threat intel assessments
  • De-emphasizing the federal aspect to encourage adoption by organizations outside of the federal government

 

Revision 5 was on hold due to disagreements between U.S. federal agencies. It is currently available for public dissemination as of September 2020.

 

Revision 4, released in 2012, emphasizes specific subject areas, including but not limited to:

 

  • Insider threats
  • Privacy
  • Cross-domain solutions
  • Advanced persistent threats
  • Software and web application security
  • Social network, cloud computing, and mobile devices

 

There are many control families listed under this specific revision, including:

 

  • AC – Access Control
  • CM – Configuration Management
  • IA – Identification and Authentication
  • MP – Media Protection
  • PS – Personnel Security
  • AC – Access Control
  • RA – Risk Assessment
  • PE – Physical and Environmental Protection
  • SI – System and Information Integrity
  • SA – System and Services Acquisition
  • AT – Awareness and Training



New Developments for NIST SP 800

One of the latest releases within the NIST 800 series is the NIST 800-207, which serves as a reference for the Zero Trust principle for network security. The Zero Trust concept focuses on vetting and controlling accesses for remote assets accessing the headquarters network, under the assumption that they are not to be trusted based on their physical and network location. Authentication and authorization are vetted at both the user and device levels before they access the system.

NIST Compliance

Typically, private organizations may choose to comply with the publications under the NIST 800 voluntarily. However, contractor companies tied to federal agencies via obligatory contracts must comply with the standards laid out by references linked to the NIST 800, specifically NIST 800-171.

2021 and Beyond

Today's challenges are to maintain the privacy and security of corporate data from external threats attempting to breach network defenses and maintain the enterprise's operation. You can access all the relevant publications related to the NIST 800 Series from the Computer Security Resource Center. 


Get in touch with Rivial to get a NIST Security Audit today.