cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Deyan
Contributor I

Help with the NIST 800-53 controls list

Hello ISC2 community,

 

Wondered if some of you have dealt with the controls in the 800-53 publication of NIST. I am unaware if lack of technical knowledge or twisted language is the reason but I am having troubles in understanding some of them especially when trying to imagine what would that control look like in reality. Do someone know or can provide a source where I can see examples of actual security controls for each of the NIST 800-53 controls?

7 Replies
cgrooby
Viewer

I have a crosswalk document of technical controls on my onedrive to share, or you can search for

Cyber Resilience Review (CRR):NIST Cybersecurity Framework Crosswalks
 
good luck
Christine
Deyan
Contributor I

Thank you so very much Christine. I am still reviewing the Crossroads document you referenced but if it has references to all of the NIST controls - it would help me a lot indeed. If you do not mind sharing the document you mentioned you have - I can also benefit from it. Please let me know if you'd prefer me to contact you separately (over email or else)

CISOScott
Community Champion

Have you also looked at 800-53A? It tells how to test each of the controls selected from 800-53. Here is an example of one control. At the bottom you can see it gives examples of what may meet compliance for this control. The way  800-53 works is this: 1) Determine the level of data protection needed (Low, Medium, High) then determine the controls needed to protect that data. Add additional controls if desired. Then you use 800-53A to test to see if you are in compliance. Hope this helps.

Scott

ASSESSMENT OBJECTIVE:

Determine if the organization:

CP-9(3)[1]

CP-9(3)[1][a]

defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; or

CP-9(3)[1][b]

defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; and

CP-9(3)[2]

stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; procedures addressing information system backup; contingency plan; backup storage location(s); information system backup configurations and associated documentation; information system backup logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with information system backup responsibilities; organizational personnel with information security responsibilities].

Edd
Newcomer I

-

  You -might- find the Cloud Security Alliance (CSA) mappings to be of use.  The CSA in the Cloud Controls Matrix (CCM) spreadsheet and the Consensus Assessments Initiative Questionnaire (CAIQ) do a reasonably decent job of mapping controls from all sorts of frameworks and standards (your mileage may vary).  Also, the 13 CCM controls are described fairly well and you can see which sp800-53 controls they have mapped them to.

The CAIQ breaks each of the 133 controls down into a few questions and also maps them to sp800-53 (among ~30 other standards).  Sadly, they do not provide mapping -from- those other standards, but it can still be useful.

 

https://cloudsecurityalliance.org/star/#star_i 
and look for CCM or CAIQ.

Deyan
Contributor I

Thank you all for the great resources - definitely of huge help.

DMerchant
Viewer

Did you ever get an answer to your question?  Try doing a search on "SRTM".  This is a matrix of all controls and an explanation of how a system is in compliance.  You can also do a search on "SSP".....  again, this is where a company identifies how it is meeting the requirements.  I can't give samples because those to which I have access are classified, but you might find a sample or two listed on google.

CISOScott
Community Champion

You can also look at my response to this post:

https://community.isc2.org/t5/Tech-Talk/Cyber-Risk-Library/td-p/9583

My response shows a link to auditscripts.com which has several framework crosswalks.