NIST Special Publication 800-53 (Rev 4) provides a catalog of security controls for all U.S. federal information systems, except those designed for national security. Most U.S. federal information systems  must specify their security and privacy controls based on this framework.

These systems must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems, based on the security category and impact level of the system (low, moderate, or high), and a risk determination. Security controls are selected from the NIST SP 800-53 Security Control Catalog, and the system is assessed against those security control requirements.

NIST Special Publication 800-53 (Revision 5) – draft version was released on August 2017. This version has some significant changes:

1. It incorporates the cybersecurity frameworks that allow integration with different risk & security approaches for example by using the Cybersecurity Framework appropriate language

2. It makes the security and privacy controls more outcome-based  by changing the controls structure

3. It provides a consolidated view of the privacy and security controls catalog

4. It includes new, state-of-the-practice controls based on threat intelligence and empirical attack data

Most U.S. federal information systems must specify their security and privacy controls based on this framework. Each agency is responsible for implementing the minimum security requirements as outlined by NIST. Agencies that run federal information systems, are periodically assessed to determine their compliance level and results are presented to the Congress. Poor compliance results can lead to heavy penalties and reputation damages.

Compliance in the Cloud and Key Challenges

Most of the SP 800-53 controls can be categorized as being either procedural or technical controls. Procedural controls are usually policies procedures and process related. Technical controls typically relate to configuration of your cloud environment and should be implemented and assessed using cloud security tools.

Design and implementation of technical security and privacy controls in the cloud present unique challenges listed below:

Lack of visibility – with hundreds of security groups, projects, entities, instances and accounts across several regions, it is difficult to keep track of security policy configurations and ensure that these policies are being enforced. Companies need tools that provide security visualization, management, and enforcement of compliance and security best practices.

Ever changing cloud technology – existing security solutions are not designed to support dynamic cloud infrastructure that is rapidly changing.

Knowledge gap – one of the cloud computing challenges is lack of specific cloud security knowledge in the Devops/compliance teams. This knowledge gap makes it even more difficult to develop enterprise wide guidelines and best practices around supported by detailed technical recommendations.

Large amounts of data – existing security and compliance tools are focused on analyzing large volumes of data and generating text heavy reports. These tools lack the ability to visualize configuration/activity data, and cannot support real time monitoring of compliance and security requirements.

Remediation challenges – complex cloud architectures make it difficult to identify known issues immediately upon discovery and perform the necessary remediation actions all from a single platform.

How Does Dome9 Help with NIST Compliance?

1. Visibility into all of your Cloud Assets

A company needs to clearly define the scope of all the system components in scope for NIST 800-53 certification. Dome9 provides you the visibility into cloud assets in order to comply with NIST since you cannot protect information that is not on your radar.

 

2. Compliance Engine

Real-time view of compliance and security posture for immediate risk mitigation

 

 

3. Governance Specification Language (GSL)

GSL allows Compliance and Security team to write and review any compliance check in seconds without deep technical knowledge – This equates to fewer errors in translating IT governance requirements to policy definitions.

 

4. Continuous Compliance

Continuous Compliance allows Dome9 clients to continuously run a compliance assessment according to various compliance suites and deliver findings through the most convenient method such as email, SNS notification message or PDF report.

 

 

Get Started Today with Dome9 for AWS NIST 800-53 Compliance

The Dome9 Compliance Engine ensures continuous compliance automation of the NIST 800-53 standard across your cloud accounts, with out of box compliance bundle NIST 800-53 Rev. 4 and FedRAMP.

With a single click, you can automate your NIST 800-53 continuous compliance assessment in real time using Dome9’s Compliance Engine and continuous compliance features.

 

 

Below is the coverage Dome9 provides for each impact level of  NIST 800-53 and Fedramp requirements:

NIST 800-53 rev 4

https://nvd.nist.gov/800-53/Rev4

NIST 800-53 rev 5 Draft

https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft

AWS

Standardized Architecture for NIST-based Assurance Frameworks on the AWS Cloud: Quick Start Reference Deployment

https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

You can also view the security controls matrix (Microsoft Excel spreadsheet), which maps the architecture components

https://s3.amazonaws.com/quickstart-reference/enterprise-accelerator/nistv2/latest/docs/NIST-800-53-Security-Controls-Mapping.xlsx

GCP

Google Cloud NIST 800-53 resources

https://cloud.google.com/security/compliance/nist800-53/

Azure

NIST 800-53 controls within the FedRAMP Moderate Baseline by Azure (Microsoft Cloud)

https://www.microsoft.com/en-us/trustcenter/compliance/NIST_CSF