topic Re: Help with the NIST 800-53 controls list in Tech Talk

Help with the NIST 800-53 controls list

Deyan — Thu, 01 Feb 2018 10:37:50 GMT

Hello ISC2 community,

Wondered if some of you have dealt with the controls in the 800-53 publication of NIST. I am unaware if lack of technical knowledge or twisted language is the reason but I am having troubles in understanding some of them especially when trying to imagine what would that control look like in reality. Do someone know or can provide a source where I can see examples of actual security controls for each of the NIST 800-53 controls?

Re: Help with the NIST 800-53 controls list

cgrooby — Thu, 01 Feb 2018 11:58:16 GMT

I have a crosswalk document of technical controls on my onedrive to share, or you can search for

Cyber Resilience Review (CRR):NIST Cybersecurity Framework Crosswalks

good luck

Christine

Re: Help with the NIST 800-53 controls list

Deyan — Thu, 01 Feb 2018 12:12:00 GMT

Thank you so very much Christine. I am still reviewing the Crossroads document you referenced but if it has references to all of the NIST controls - it would help me a lot indeed. If you do not mind sharing the document you mentioned you have - I can also benefit from it. Please let me know if you'd prefer me to contact you separately (over email or else)

Re: Help with the NIST 800-53 controls list

CISOScott — Thu, 01 Feb 2018 14:03:07 GMT

Have you also looked at 800-53A? It tells how to test each of the controls selected from 800-53. Here is an example of one control. At the bottom you can see it gives examples of what may meet compliance for this control. The way 800-53 works is this: 1) Determine the level of data protection needed (Low, Medium, High) then determine the controls needed to protect that data. Add additional controls if desired. Then you use 800-53A to test to see if you are in compliance. Hope this helps.

Scott

ASSESSMENT OBJECTIVE: Determine if the organization:
CP-9(3)[1]	CP-9(3)[1][a]	defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; or
CP-9(3)[1][b]	defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; and
CP-9(3)[2]	stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS: Examine: [SELECT FROM: Contingency planning policy; procedures addressing information system backup; contingency plan; backup storage location(s); information system backup configurations and associated documentation; information system backup logs or records; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with information system backup responsibilities; organizational personnel with information security responsibilities].

Re: Help with the NIST 800-53 controls list

Edd — Thu, 01 Feb 2018 15:14:10 GMT

You -might- find the Cloud Security Alliance (CSA) mappings to be of use. The CSA in the Cloud Controls Matrix (CCM) spreadsheet and the Consensus Assessments Initiative Questionnaire (CAIQ) do a reasonably decent job of mapping controls from all sorts of frameworks and standards (your mileage may vary). Also, the 13 CCM controls are described fairly well and you can see which sp800-53 controls they have mapped them to.

The CAIQ breaks each of the 133 controls down into a few questions and also maps them to sp800-53 (among ~30 other standards). Sadly, they do not provide mapping -from- those other standards, but it can still be useful.

https://cloudsecurityalliance.org/star/#star_i
and look for CCM or CAIQ.

Re: Help with the NIST 800-53 controls list

Deyan — Fri, 02 Feb 2018 08:40:44 GMT

Thank you all for the great resources - definitely of huge help.

Re: Help with the NIST 800-53 controls list

DMerchant — Wed, 01 Aug 2018 13:22:07 GMT

Did you ever get an answer to your question? Try doing a search on "SRTM". This is a matrix of all controls and an explanation of how a system is in compliance. You can also do a search on "SSP"..... again, this is where a company identifies how it is meeting the requirements. I can't give samples because those to which I have access are classified, but you might find a sample or two listed on google.

Re: Help with the NIST 800-53 controls list

CISOScott — Wed, 01 Aug 2018 14:12:16 GMT

You can also look at my response to this post:

https://community.isc2.org/t5/Tech-Talk/Cyber-Risk-Library/td-p/9583

My response shows a link to auditscripts.com which has several framework crosswalks.