For the public and private sectors, National Institute of Standards and Technology (NIST) is an essential resource. NIST SP 800-53 is considered the forefront cybersecurity guidelines for federal information security. Every U.S. federal government agency and some contractors are required to comply with the NIST 800-53 framework to ensure sensitive data is protected.
To help organizations sustain compliance and effectively maintain secure information systems, let’s take a closer look at the 18 control families featured in NIST Special Publication (SP) 800-53, particularly those dealing with maintenance.
What are NIST 800 53 Control Families?
Since it was first established in 2005, NIST SP 800-53 has advanced through five revisions and now includes 1,189 individual controls plus a variety of control enhancements organized in critical categories or control families. Federal agencies and contractors will find all the recommended security and privacy controls required to protect federal information systems from cyber security threats and attacks.
NIST SP 800-53 details controls to support the development and maintenance of secure, resilient federal information systems. These controls cover operational, technical, and management standards and guidelines required to maintain integrity and availability of systems and data. Enabling these controls is crucial for compliance with the Federal Information Security Modernization Act (FISMA) and the Federal Information Processing Standard Publication 200 (FIPS 200) standard.
The 800-53 guidelines offer a multi-tiered approach to managing risk and compliance. Security controls are divided into families which gives businesses the flexibility to select only the controls they need.
18 Control Families to Consider for 800-53 Maintenance:
- AC – Access Control: Security requirements include account management, remote access logging, and system privileges to determine users’ ability to access data and reporting features.
- AU – Audit and Accountability: Security controls related to an organization’s audit capabilities include audit rules and processes, audit recording, audit report creation, and audit information protection.
- AT – Awareness and Training: The AT control family’s control sets document security training materials, procedures, and records.
- CM – Configuration Management: CM controls serve as the foundation for future information system builds or changes. It also includes inventories of information system components and security impact analysis control.
- CP – Contingency Planning: The CP control family includes controls particular to an organization’s cybersecurity contingency plan testing, updating, training, backups, and system reconstitution.
- IA – Identification and Authentication: IA controls are particular to an organization’s identification and authentication procedures to assure proper organizational and non-organizational access.
- IR – Incident Response: Controls for incident response are customized to an organization’s rules and processes. This area may include incident response training, testing, monitoring, reporting, and a response strategy.
- MA – Maintenance: Revision five of NIST 800-53 outlines standards for maintaining systems and tools.
- MP – Media Protection: Access, marking, storage, transit policies, sanitization, and defined organizational media use are all covered by the media protection control family.
- PS – Personnel Security: Standards around personnel screening, termination, transfers, sanctions, and access agreements are all examples of PS controls to protect employees.
- PE – Physical and Environmental Protection: This control family is used to safeguard systems, buildings, and supporting infrastructure from physical dangers. Physical access authorizations, monitoring, visitor records, emergency shutoff, electricity, lighting, fire protection, and water damage prevention are all examples of these controls.
- PL – Planning: Security planning policies address the goal, scope, roles, duties, management commitment, and coordination among entities for organizational compliance.
- PM – Program Management: The PM control family applies to your cybersecurity program. It includes a critical infrastructure plan, information security program plan, a plan of action milestones and processes, a risk management strategy, and enterprise architecture.
- RA – Risk Assessment: The RA control family covers an organization’s risk assessment policies and vulnerability scanning capabilities.
- CA – Security Assessment and Authorization: The CA control family is specific to the execution of security assessment and authorization, including continuous monitoring, action plan and milestones, and system interconnections.
- SC – System and Communications Protection: System and communications protection protocols include boundary protection, information at rest protection, collaborative computing devices, cryptographic protection, and denial of service protection.
- SI – System and Information Integrity: The SI control family includes flaw remediation, malicious code protection, information system monitoring, security warnings, software and firmware integrity, and spam prevention.
- SA – System and Services Acquisition: SA controls protect allocated resources and an organization’s system development life cycle. It includes procedures for information system documentation, development configuration management, and developer security testing and evaluation.
What is NIST SP 800-53 MA maintenance?
The MA controls in NIST 800-53 Revision 5, the current version, detail what’s really required to maintain organizational systems as well as which tools to use to deter failures and malfunctions and restore capability to systems and equipment.
MA-1: System Maintenance Policy and Procedures
Security and privacy program policies and procedures at the organization level are preferable, reflecting the complex nature of organizations. Procedures can be established and documented for security and privacy programs, for mission or business processes, and for systems, as needed.
MA-2: Controlled Maintenance
Controlled system maintenance addresses information security aspects as well as supply chain-related risks and applies to all types of maintenance to system components and peripherals conducted by local or nonlocal entities. Comprehensive, effective maintenance records are important.
MA-3: Maintenance Tools
Maintenance tools for hardware, software, and firmware may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers.
MA-4: Nonlocal Maintenance
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through a network, while local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements. Strong authentication to establish nonlocal maintenance and diagnostic sessions requires authenticators that are resistant to replay attacks and employ multi-factor authentication.
MA-5: Maintenance Personnel
Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems through temporary credentials.
MA-6: Timely Maintenance
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.
MA-7 Field Maintenance
Field maintenance is conducted after the system or component has been deployed to a specific operational environment. To ensure the same degree of rigor and quality control checks as depot maintenance, it may be necessary to restrict field maintenance for critical systems in favor of trusted facilities with additional controls.
The cyber security experts at DTS understand the pitfalls and promise of the foremost guidelines and standards for information security including SP 800-53 maintenance requirements. Take advantage of the opportunities ahead with total compliance and confidence.