The Full NIST 800 53 Checklist: How to Prepare for an Audit

The NIST 800-53 Revision 5 provides a catalog of security and privacy controls for information systems and organizations to protect organizations and ultimately, the US from a diverse set of risks, including the following threats.

• hostile attacks
• human errors
• natural disasters
• structural failures
• foreign intelligence entities
• privacy risks

The NIST 800-53 controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from today’s business needs such as remote work settings and cloud security. The audit checklist provided below will help simplify the complexity of the NIST 800-53, the gold standard in information security. Following these guidelines represents a great step in building a mature cybersecurity program.

Purpose and Applicability

The implementation of the NIST 800-53 control catalog is mandatory for federal information systems under the Office of Management and Budget (OMB) and the provisions of FISMA, which requires the implementation of minimum controls to protect federal information and information systems

The report accomplishes this objective by providing a comprehensive and flexible catalog of security and privacy controls to meet current and future protection needs based on changing threats, vulnerabilities, requirements, and technologies. The publication also improves communication among organizations by providing a common lexicon that supports the discussion of security, privacy, and risk management concepts. 

How to Ensure NIST 800-53 Compliance: A Checklist

• Select a Control Baseline

The concept of a NIST security baseline is introduced to assist organizations in selecting a set of controls for their systems that is commensurate with their security and privacy risk. 

A control baseline is a collection of controls assembled to address the security needs of an organization. It provides a generalized set of controls that represents a starting point for the subsequent tailoring activities that are applied to the baseline to produce a targeted or customized security and privacy solution for the entity that the baseline is intended to serve.

Control baselines are based on a variety of factors, including threat information, mission or business requirements, types of systems, sector-specific requirements, specific technologies, operating environments, organizational assumptions and constraints, individuals’ privacy interests, laws, executive orders, regulations, policies, directives, standards, or industry best practices. Tailoring activities are described in greater detail soon. 

• First determine the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. The process of determining information criticality and sensitivity is known as security categorization 
• In preparation for selecting and tailoring the appropriate security control baselines for organizational systems and their respective environments of operation, organizations determine the impact level of the system
• The impact level of the system, in turn, is used for the express purpose of selecting the applicable security control baseline from one of the three baselines.
• In addition to the three security control baselines, organizations must select an initial privacy control baseline for federal agencies to address privacy requirements and manage privacy risks that arise from the processing of PII based on privacy program responsibilities.

• Tailor Control Baselines

After selecting an appropriate control baseline, organizations initiate a tailoring process to align the controls more closely with the specific security and privacy requirements identified by the organization. The tailoring process is part of an organization-wide risk management process that includes framing, assessing, responding to, and monitoring information security and privacy risks. The tailoring process can include but is not limited to the following activities:

• Identifying and designating common controls 
• Applying scoping considerations
• Selecting compensating controls
•  Assigning values to organization-defined control parameters via explicit assignment and selection operations 
• Supplementing baselines with additional controls and control enhancements
• Providing specification information for control implementation

• Define Key Capabilities

As the number of controls in the NIST audit checklist grows in response to an increasingly sophisticated threat space, organizations need to have the ability to describe key capabilities needed to protect organizational missions and business functions, and to subsequently select controls that—if properly designed, developed, and implemented—produce such capabilities. The use of capabilities simplifies how the protection problem is viewed conceptually. Using the construct of a capability provides a method of grouping controls that are employed for a common purpose or to achieve a common objective.

• Implement Controls

A significant challenge for organizations is selecting a set of security and privacy controls that can protect their mission and business functions and provide the capability to manage security and privacy risk. The selected controls, if correctly implemented and determined to be effective, meet security and privacy requirements defined by applicable laws.

There is no single set of controls that addresses all security and privacy concerns in every situation. However, choosing the most appropriate controls for a specific situation or system to adequately respond to risk requires a fundamental understanding of the organization’s mission and business priorities, the mission and business functions that the systems will support, and the environments in which the systems will operate.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Learn more about how to be compliant with NIST 800 53
Click Here

With that understanding, organizations can demonstrate how to efficiently and cost-effectively assure the confidentiality, integrity, and availability of organizational information and systems, as well as the privacy of individuals in the context of supporting the organization’s mission and business functions. 

• Reference the Control Catalog

Controls are designed to be flexible, so make sure to consult the discussion section of each control. It contains additional information that helps with implementing or adapting controls in line with the organization’s requirements or risk. The control catalog will also reference which controls are reliant on, or connected to, others. This helps build a systematic approach to implementation.

• Record Evidence of Implementation

As with all security standards and frameworks, it is important to record the implementation of NIST SP 800-53 controls. Records and documentation should be collected as evidence of compliance with each control, helping to demonstrate overall compliance with NIST SP 800-53.

• Assessment and Continuous Monitoring

Assess and monitor the security and controls in the information system ad environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance with legislation, executive orders, directives, policies, regulations, and standards.

NIST 800-53 as a Catalyst for a FISMA Audit

Being NIST 800-53 compliant doesn’t automatically guarantee a FISMA ATO or FedRAMP authorization, but it is a great stepping stone toward a FISMA authorization. Organizations will need to implement the relevant NIST SP 800-53 controls determined as part of the risk assessment process and evidence compliance with these controls as part of the organization’s annual FISMA reporting requirements. Monitoring continuous compliance against the selected controls, as well as adapting to any new updates or revisions to the catalog, is crucial. 

If your organization is following the security recommendations laid out in NIST 800-53, you and your team will ultimately do less work preparing for a FISMA authorization.

Who Needs A FISMA Audit?

If you are a government agency you know you need to be FISMA compliant. However, if you are a private business that has a government contract, manages information on the government’s behalf, or maintains close relationships with any government agency, you may also be required to pass a FISMA audit. 

How to Prepare for a FISMA Audit

• Information System Catalog: All FISMA-compliant agencies must create and maintain a catalog of every information system used by said agency. 
• Risk Management: In the eyes of the government, not all information is created equal, unlike people. Agencies undergoing FISMA audits must create a risk management profile for their information and information systems.
• Security Plan: FISMA requires that businesses create a plan which sets forth how the information will be properly protected. The plan must detail security policies, controls, and contingency plans in case of a breach. 
• Security Controls: The catalog for FISMA security controls is extremely extensive. The NIST 800-53 lists the full scope of security controls. As previously noted,  not all of the security controls are required. Instead, agencies must pick and choose which security controls are relevant to their particular system. Once an institution has chosen the security controls, it must document them in its security plan. The security plan is then approved by FISMA during the audit.
• Risk Assessments: FISMA audits require risk assessments at every level of the organization. Every level of the organization means not only where the sensitive information is kept, but anywhere data is kept. 
• Continuous Monitoring:  FISMA expects organizations to perform security reviews each year. It may feel redundant to require continual risk assessments, on all levels of the organization and annual reviews.

Leveraging the Power of Centraleyes with your NIST 800-53 Compliance

Following our checklists will help structure your approach to NIST 800-53A compliance and a FISMA audit. If you’d like to read more about these important standards, see our related blog on NIST 800-53.

Using Centraleyes as your NIST 800-53 management platform will help you organize your compliance program by mapping controls to other standards as well. Our powerful platform automates control mapping of over 50 security and privacy standards!