NIST 800-53 provides a comprehensive catalog of security controls. NIST 800-53A provides a framework for assessing the adequacy of in-place controls. Although both are targeted to the federal government, many organizations appreciate the depth and prescriptive nature of the NIST standards. As a result, they are widely used outside of government, even if used as a complement to other standards such as ISO/IEC 27002. NIST 800-53 addresses a wide range of controls. The controls consider multiple aspects, including management, technical, and operational. The catalog of controls is grouped into 17 families of controls, which include the following:
Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Contingency Planning
Identification and Authentication
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Planning
Personnel Security
Risk Assessment
Security Assessment and Authorization
System and Services Acquisition
System and Communication Protection
System and Information Integrity
The framework for each of the preceding families of controls is composed of the following elements:
Control—A descriptive statement of the security measure put in place to provide reasonable assurance the process or function is working as expected
Supplemental guidance—Additional guidance for consideration
Control enhancements—Information on augmenting the control with additional functionality or increased security
References—A listing of related federal laws, executive orders, directives, policies, standards, and guidelines related to the control
Priority and baseline allocation—A listing of codes used for prioritizing decisions during security control implementation and control enhancements for systems of varying degrees of impact
This standard discusses in detail the process for conducting assessments. This includes topics on preparing for the assessment, developing the plans, conducting the assessment, and follow-on reporting, analysis, and other activities.