AWS Government, Education, & Nonprofits Blog

Keeping Pace with NIST SP 800-53

National Institute of Standards and Technology (NIST) Special Publication 800-53 offers a comprehensive set of information security controls. The current version, revision 4, contains nearly one thousand controls spread across 19 different controls families.

NIST 800-53 rev 5 is scheduled to be released in 2017 (initial public draft anticipated in late June 2017) with updates for current as well as future adopters. These changes are designed to continue to improve the security posture of information systems across both federal and non-federal systems.

Since NIST 800-53 was first introduced, the number of controls has greatly expanded; the initial version of 800-53 contained approximately 300 controls and NIST 800-53 rev 4 contains 965 controls. But it’s not just the number of controls, the structure and organization of the controls have evolved as well. While these changes are designed to increase the security posture of the systems protected, the process of migrating to new versions can be complex.

Ongoing requirements

Despite the complexity, each NIST 800-53 revision makes the controls set increasingly valuable. As things like mobile, IoT, and cloud evolve, NIST continuously enhances 800-53 to make migration an ongoing requirement.

The NIST 800-53 controls catalog can be leveraged to improve and maintain the security posture of any organization, but for federal agencies, their implementation is required. The NIST 800-53 controls are the basis for the assessment and authorization (A&A) of all federal systems. As new versions of NIST 800-53 are introduced, the rules for compliance change, putting the responsibility on organizations to understand the differences between versions and how these changes impact their authority to operate (ATO). Managing this migration process manually using spreadsheets can be labor intensive, prone to error, and sometimes unmanageable for organizations that have multiple systems to manage.

Automation – critical to keeping pace

A centralized application to automate critical A&A processes is essential to managing implementations efficiently. Xacta 360, a solution from APN Technology Partner Telos is optimized to run in AWS environments, including AWS GovCloud (US). Xacta 360 streamlines the end-to-end A&A process workflow. Content, such as new and changed controls, including updates to the controls language, becomes available in Xacta 360 as it is introduced by NIST. Telos engineers crosswalk NIST 800-53 upgrades and make these crosswalks available within the software. Unlike spreadsheets that require weeks of effort to migrate each project, with Xacta 360, this process is entirely automated and takes minutes to move from an older version of NIST 800-53 to the most current version.

Helping organizations keep pace with changes to NIST 800-53 is an example of how automation can take the pain out of security compliance. Xacta 360 operationalizes the NIST Risk Management Framework (RMF) for AWS-based cloud and hybrid IT systems, accelerating progress through the entire six-step RMF process.

Learn more here about how Xacta 360 helps organizations keep pace with potentially disruptive changes and updates to NIST controls and frameworks, and visit: www.telos.com/Xacta360