NIST 800-53 & CSF

shield with checkmark

Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-53 guidelines apply to any component of a system that stores, processes or transmits federal information. It provides a catalog of controls — operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems. While the framework was designed for governmental agencies, it is used by organizations in all industries to improve the security of their organization’s information systems by providing a fundamental baseline for developing a secure organizational infrastructure.

NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. The National Institute of Standards and Technology (NIST) is a U.S. federal agency that establishes computer and information technology related standards and guidelines for federal agencies to use.

NIST provides explicit requirements for vulnerability scanning under Control RA-5: Vulnerability Scanning.

a. Scan for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;

b. Employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

  • Enumerate platforms, software flaws, and improper configurations;
  • Format checklists and test procedures; and
  • Measure vulnerability impact;

c. Analyze vulnerability scan reports and results from security control assessments;

d. Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk; and

e. Share information obtained from the vulnerability scanning process and security control assessments internally to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

mergers and acquisitions

Framework for Improving Critical Infrastructure Cybersecurity

The NIST CSF framework takes a generalized and high-level approach to security best practices in comparison to NIST 800-53 and 800-171. The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

NIST’s goal with the Cybersecurity Framework is to help organizations determine what processes and controls are most relevant to their unique challenges, and how best to implement and test the efficacy of the security measures they put in place. The Framework doesn’t list tables of security controls; instead, it classifies its key points into 5 areas that comprise the Framework Core: Identify, Protect, Detect, Respond, and Recover. Within these five areas, NIST provides industry-agnostic guidance to help organizations achieve ideal security-related levels of competence and compliance.

NIST Cybersecurity Framework guidance recommends the following actions as part of a continuous security monitoring, vulnerability management, and risk mitigation strategy:

• Vulnerability scans are performed

• Asset vulnerabilities are identified and documented

• Newly identified vulnerabilities are mitigated or documented as accepted risks

• Internal and external are identified and documented

• Threats, vulnerabilities, likelihoods and impacts are used to determine risk

How Continuous Assessments Help You

Continuous Visibility

Maintain awareness of threats and vulnerabilities so risks can be remediated

Prioritize Risk

Use results to prioritize and manage risk consistently across the organization

Verify Compliance

Validate compliance with information security policies and standards/guidelines

Why Furtim

Continuous testing provides ongoing assurance that security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate.

customer alice

Ready for Security Assessments as a Service?

Schedule a Demo