Diving into the Cybersecurity Ocean: A Fun and Engaging Guide to NIST 800–53

Imagine you’re about to embark on a thrilling journey across the vast ocean of cybersecurity. Your compass The National Institute of Standards and Technology (NIST), a non-regulatory US government agency. Your map? The NIST Special Publication 800–53, a treasure trove of guidelines designed to fortify the information systems of US federal agencies against the menacing pirates of cyber threats and data leaks.

As we sail into 2021, our map, the NIST 800–53, has been refined through revisions and now sparkles with over 1000 controls. But what are these controls? Think of them as the stars guiding us through the night, the lighthouses illuminating our path. They are the guidelines that provide safeguards and protection capabilities to meet the requirements of our journey. These requirements are the obligations an organization must fulfill to ensure privacy and security, the safe harbors we must reach on our voyage.

The controls in NIST 800–53 are designed to shield our precious cargo — assets, individuals, and other organizations — from a of threats and risks, from the unpredictable storms of human error and natural disasters to the lurking sea monsters of foreign intelligence entities and hostile attacks. These controls are not rigid; they are as flexible as the sails of our ship, customizable and implemented as part of an organization-wide process to manage risk.

Our map is neatly organized into 20 islands, each representing a unique aspect of security and privacy. Let’s set sail and explore these islands:

1. Access Control: The gatekeeper island, deciding who can step foot on our ship, they can board, and where they can venture.
2. Awareness and Training: The island of knowledge, focusing on training our crew in the art of security.
3. Audit and Accountability: The island of truth, holding our organization accountable through auditing capabilities.
4. Assessment, Authorization, and Monitoring: The watchtower island, assessing and monitoring our ship’s compliance with security and privacy requirements.
5. Configuration Management: The island of order, ensuring the integrity of our ship through control of processes for initializing, changing, and monitoring system configurations.
6. Contingency Planning: The island of foresight, preparing us for any cybersecurity storms that may come our way.
7. Identification and Authentication: The island of identity, confirming the identity of all who interact with our ship.
8. Incident Response: The island of resilience, outlining steps to be taken following a security breach or failure.
9. Maintenance: The island of preservation, focusing on preventing system failure or restoring them to an operational state.
10. Media Protection: The island of safeguarding, protecting both digital and non-digital treasures.
11. Physical and Environmental Protection: The fortress island, protecting our ship, buildings, and infrastructure from physical threats.
12. Planning: The island of strategy, crafting our organization’s security and privacy plans.
13. Program Management: The island of oversight, developing, implementing, and overseeing organization-wide information security and privacy programs.
14. Personnel Security: The island of trust, assessing the integrity and reliability of our crew members.
15. Personally Identifiable Information Processing and Transparency: The island of privacy, dictating how to handle sensitive personal information.
16. Risk Assessment: The island of wisdom, helping us identify and prioritize risks.
17. System and Services Acquisition: The island of procurement, ensuring systems and services are obtained without compromising privacy and security.
18. System and Communications Protection: The island of communication, ensuring the confidentiality, integrity, and availability of our ship’s communications.
19. System and Information Integrity: The island of truth, protecting our ship’s systems and data from improper modification and destruction.
20. Supply Chain Risk Management: The island of vigilance, managing potential threats and vulnerabilities throughout the supply chain.

As we navigate these islands, we may choose to prioritize certain controls based on their allocation to privacy or high-impact security control baselines. We can also identify and categorize our precious cargo, assign an impact value to each type based on the CIA triad (confidentiality, integrity, and availability), and prioritize any that have a high impact. Alternatively, we may determine cybersecurity risks to our ship through risk assessment to select the controls that are vital to our journey. The extent and strictness of the selection process should be the impact level of the risks being mitigated.

In the end, NIST 800–53 serves as our trusted guide in the thrilling adventure of cybersecurity, providing a robust framework to protect our ship and its valuable cargo. So, hoist the sails, man the helm, and let’s set sail into the exciting world of cybersecurity!