NIST SP 800-53 Introductory Course v1 Download

Security and Privacy Controls for
Information Systems and Organizations

Introductory Course
April 2024
Based on NIST Special Publication (SP) 800-53, Security and Privacy

Controls for Information Systems and Organizations
Course Authority
Information in this course should be applied in accordance with legislative guidelines, standards,
and requirements established by the Federal Government and your organization.
This course is provided by the National Institute of Standards and Technology

This
andcourse is provided
is available by of
free thecharge
National
atInstitute of Standards and
https://nist.gov/rmf
Technology and is available free of charge at https://nist.gov/rmf
Terms of Use and Software Disclaimer
In accordance with its statutory authorities, NIST maintains a research information center to support the research, publishing, and preservation needs
required to fulfill the scientific and technical mission of NIST. NIST makes its RMF Introductory Course available to interested parties as a public service.
Pursuant to 17 USC 105, works authored by NIST employees are not subject to Copyright protection within the United States; foreign rights are reserved on
behalf of the Secretary of Commerce. To the extent that NIST may hold copyright or other rights in countries other than the United States, you are hereby
granted the non-exclusive irrevocable and unconditional right to print, publish, prepare derivative works, and distribute, in any medium, or authorize
others to do so on your behalf, on a royalty-free basis throughout the world. Downloads are made available as a courtesy of NIST. Please provide
appropriate attribution to NIST, the creator of the courses.
The RMF Introductory Course is provided “AS IS.” NIST makes NO WARRANTY of any kind, express or implied or statutory, including without limitation, the
implied warranty of merchantability, fitness for a particular purpose, non-infringement or data accuracy.
Permission to use this material is contingent upon your acceptance of these terms.
Software Disclaimer
NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may
improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice
stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the
software.
NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION,
THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE
OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING
THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.
You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs
of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in
any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.

2
and is available free of charge at https://nist.gov/rmf
Course Navigation Instructions
A brief overview on how to navigate through the course, when delivered via the NIST CSRC website:
• The course outline is shown in the left-hand navigation bar
• A keyword search is available, but you will only be able to access slides you have already viewed.
• The recommended use of this search function is meant for after you have completed the course and would like to refer to a particular topic.
• In the upper right-hand corner, there are two items of note: Marker Tools and Notes
• Clicking “Marker Tools” allows you to “mark up” (e.g. highlight, underline, etc) your version of the presentation slide, if you wish to do so
• Clicking “Notes” displays the written script of the audio track on that particular slide
• Under the main presentation slide, on the left-hand side:
• A Play/Pause button for the slide currently displayed
• A timer for the current slide is also displayed, as well as a replay button, volume control, and full-screen toggle button
• Under the main presentation slide, on the right-hand side:
• Navigate backward to slides you have already viewed using the “Prev” button
• Navigate forward to slides to return your current position in the course using the “Next” button
• Note that you cannot navigate forward to slides you have not yet seen
• The Accessibility icon is in the upper left-hand corner of the presentation window
At any time, you can leave the course and resume from where you left off in the
course – just be sure to enable cookies for this website in your browser.
3
Course Structure
Completing the entire course should take approximately 60 minutes

• Welcome and Overview
• Module 1: The Fundamentals
• Module 2: The Controls
• Conclusion
• Supplemental Material
• Additional Resources
This course is provided by the National Institute of Standards and Technology 4

Security and Privacy Controls Course Overview and is available free of charge at https://nist.gov/rmf
Course Goal and Learning Objectives
Course Goal
Gain familiarity with the catalog of security and privacy controls including:
• Structure of the controls and the organization of the control catalog
• Relationship to other NIST technical publications that provide implementation guidance
Learning Objectives
After completing this course, you will be able to:
• Describe the purpose of security and privacy controls
• Explain how controls can support the organization risk management program

Course Target Audience
Target audience for this course

• All individuals that have an interest in security and privacy
risk management strategies
• Key individuals responsible for security and privacy risk

management processes, including the selection,
implementation, assessment, and monitoring of controls
needed to achieve a cost-effective and risk-based security
and privacy program
• Industry partners creating, producing, or providing

capabilities or technologies that support information
security or privacy risk management

Introduction to Security and Privacy Controls
What are security and privacy controls?

• Descriptions of the safeguards and protection measures appropriate for achieving the particular
security and privacy objectives of the organization and reflecting the protection needs of the
organization.
How can security and privacy controls support risk

management efforts?
• Support cyber resilience throughout the system life cycle
• Help make systems more resistant to attacks
• Limit impact from attacks when they occur
• Protect individuals’ privacy

Security and Privacy Controls Course Overview 7
NIST SP 800-53 Purpose
Provides
• Comprehensive catalog of security and privacy controls for any organization or system
Enables
• Efforts to meet mission, business, and legal requirements that address security, privacy, cyber supply
chain, systems security engineering, and cyber resiliency
Supports
• Risk Management Framework (RMF) Select and Implement Step tasks
• Any size organization, across any sector, and for any type of system and computing platform

Module 1: The Fundamentals
Objectives for this module

• Distinguish between a requirement and a control
• Explain the purpose of security and privacy controls
• Identify the organization of the control catalog and the elements of the control structure
• Discuss different control implementation approaches
• Examine the concepts of trustworthiness and assurance for security and privacy controls

Module 1: The Fundamentals and is available free of charge at https://nist.gov/rmf
Lesson 1: Requirements and Controls
Requirements
Requirement
Expression of the set of protection needs for a particular system or organization.
• Obligation imposed on organizations defined by • Capability Requirement

o Laws o Capability the system or organization must provide
o Directives
o Policies • Specification Requirement
o Regulations o System requirements that pertain to particular hardware,
o Standards software, and firmware components
o Missions/business functions
• Statement of Work
o Contractual obligation for actions that must be performed
NOTE
Requirements can have different definitions when used in different contexts
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
10
Lesson 1: Requirements and Controls and is available free of charge at https://nist.gov/rmf
Controls
• Provide structure to define implementable system requirements
• Selected and implemented by the organization to achieve security and

privacy objectives
• Can include technical aspects, administrative aspects, and physical aspects
• Neutrality enables focus on fundamental security and privacy

requirements for operational success
NOTE
Organizations have the flexibility to implement the controls selected in a manner
that satisfies organizational mission or business needs consistent with laws, regulations, and policies.
11
Security and Privacy Controls
Security controls Privacy controls

• Protect information and systems from • Address privacy risks associated with the
unauthorized activity or system behavior processing of privacy information
o Manage security risks o Manage privacy risks
o Documented in the security plan o Documented in the privacy plan
o Responsible for protecting information and o Responsible for managing risks to individuals
information systems from unauthorized activity or associated with the processing of personally
system behavior to provide confidentiality, integrity, identifiable information throughout the
and availability information life cycle
NOTE
Controls selected to achieve both security and privacy objectives require a degree of
collaboration between the organization’s information security program and privacy program
12
Security and Privacy Controls
Cybersecurity Privacy
Risks Risks
cyber
Associated with security- Associated with
cybersecurity related privacy events
incidents arising privacy arising from data
from loss of events processing
confidentiality,
integrity, or
availability
Cybersecurity and Privacy Risk Relationship

Source: NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY
THROUGH ENTERPRISE RISK MANAGEMENT
13
Lesson 2: Control Structure and Organization
Control Structure
Base Control: Prescribes a security or privacy capability
to be implemented. Security and privacy capabilities are
achieved by the activities or actions, automated or AU-4 AUDIT STORAGE CAPACITY
nonautomated, carried out by systems and Control: Allocate audit record storage capacity to accommodate [Assignment: organization-
organizations. defined audit record retention requirements].
Discussion: Organizations consider the types of auditing to be performed and the audit
Organization-Defined Parameter (ODP): Identifies processing requirements when allocating audit storage capacity. Allocating suffi cient audit
[Assignment:] and [Selection:] operations to enable storage capacity reduces the likelihood of such capacity being exceeded and resulting in the
organization to define specific requirements potential loss or reduction of auditing capability.
Discussion: Explains the purpose of controls and often Related Controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, AU-14, SI-4.
includes examples Control Enhancements:
Related Controls: List of controls in the catalog that may (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
support the implementation of security or privacy Off-load audit records [Assignment: organization-defined frequency] onto a different
capability system or media than the system being audited.
Discussion: Off-loading is a process designed to preserve the confidentiality and
Control Enhancement: Identifies capabilities that integrity of audit records by moving the records from the primary system to a
augment a base control implementation, not intended to secondary or alternate system. It is a common process in systems with limited audit
be selected independently storage capacity; the audit storage is used only in a transitory fashion until the system
can communicate with the secondary or alternate system designated for storing the
References: Includes hyperlinks to publications for audit records, at which point the information is transferred.
obtaining additional information for control
Related Controls: None.
development, implementation, assessment, and
monitoring References: None.
14
Lesson 2: Control Structure and Organization and is available free of charge at https://nist.gov/rmf
Control Family Identification
SP 800-53 identifies
• 17 security-related areas identified in
FIPS 200 used to define control
families
• 3 additional control families (PM, PT,
SR) added since FIPS 200 was
published
Families are arranged

alphabetically based on the
assigned acronym
15
Control Catalog Organization
SP 800-53, Appendix C
• Implemented By
W: Withdrawn
S: Implemented by System
O: Implemented by Organization
O/S: Combination System/Organization
• Assurance
√: Contributes to the grounds for
confidence
16
Control Catalog Updates
Control changes are based on:

• Providing a better understanding of how to address security and privacy risks
• New or changing requirements in laws, executive orders, regulations, policies, standards, or guidelines
17
Lesson 3: Control Implementation Approaches
Common (inheritable) System-specific Hybrid

Associated with a common System owner and the Responsibility for the
control provider responsible authorizing official for the control capabilities is shared
for the implementation system is responsible for between the common
the implementation control provider and the
system owner and
authorizing official
NOTE
If the common control provider implementation fails, it can adversely affect all dependent systems
If the system-specific implementation fails, it can expose the entire enterprise
18
Lesson 3: Control Implementation Approaches and is available free of charge at https://nist.gov/rmf
Lesson 4: Trustworthiness and Assurance
Security and privacy controls build trust through functionality and assurance
Functionality Assurance
• Security and privacy features • Measure of confidence of system functionality
• Functions o Implemented correctly
• Mechanisms o Operating as intended
• o Producing the desired outcome with respect to
Services
• meeting the security and privacy requirements for
Procedures
the system
• Architectures
19
Lesson 4: Trustworthiness and Assurance and is available free of charge at https://nist.gov/rmf
Module 2: The Controls
Objectives for this module

• Provide an overview of each control family
• Introduce some of the controls based on the description of the control family

Module 2: The Controls 20
Access Control (AC) Family
FIPS 200 Minimum Security Requirement

limit information system access to authorized users, processes acting on behalf of authorized users, or devices
(including other information systems) and to the types of transactions and functions that authorized users are
permitted to exercise.
AC-1 Policy and Procedure AC-6 Least Privilege

AC-2 Account Management AC-7 Unsuccessful Logon Attempts
AC-3 Access Enforcement AC-8 System Use Notification
AC-4 Information Flow AC-9 Previous Logon Notification
AC-5 Separation of Duties AC-10 Concurrent Session Control For the full list of controls,
control enhancements, and
details about this control
family, click the CPRT button
SAMPLE REFERENCES
• NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
• NIST SP 800-192, Verification and Test Methods for Access Control Policies/Models

Awareness and Training (AT) Family

(i) ensure that managers and users of organizational information systems are made aware of the security risks
associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards,
instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure
that organizational personnel are adequately trained to carry out their assigned information security-related duties
and responsibilities.
AT-1 Policy and Procedures AT-4 Training Records

AT-2 Literacy Training and Awareness AT-5 [Withdrawn: Incorporated into PM-15]
AT-3 Role-Based Training AT-6 Training Feedback
For the full list of controls,

SAMPLE REFERENCES
• NIST SP 800-50, Building a Cybersecurity and Privacy Learning Program

Audit and Accountability (AU) Family

(i) create, protect, and retain information system audit records to the extent needed to enable the monitoring,
analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii)
ensure that the actions of individual information system users can be uniquely traced to those users so they can be
held accountable for their actions.
AU-1 Policy and Procedures AU-6 Audit Record Review, Analysis, and Reporting
AU-2 Event Logging AU-7 Audit Record Reduction and Report Generation
AU-3 Content of Audit Records AU-8 Time Stamps
AU-4 Audit Log Storage Capacity AU-9 Protection of Audit Information
AU-5 Response to Audit Logging Process Failures AU-10 Non-repudiation For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response
• NIST SP 800-92, Guide to Computer Security Log Management

Assessment, Authorization, and Monitoring (CA) Family

(i) periodically assess the security controls in organizational information systems to determine if the controls are
effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or
eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational
information systems and any associated information system connections; and (iv) monitor information system security
controls on an ongoing basis to ensure the continued effectiveness of the controls.
CA-1 Policy and Procedures CA-6 Authorization

CA-2 Control Assessments CA-7 Continuous Monitoring
CA-3 Information Exchange CA-8 Penetration Testing
CA-4 [Withdrawn: Incorporated into CA-2] CA-9 Internal System Connections
CA-5 Plan of Action and Milestones For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-37, Risk Management Framework for Information Systems and Organizations
• NIST SP 800-47, Managing the Security of Information Exchanges
• NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
• NIST SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

Configuration Management (CM) Family

(i) establish and maintain baseline configurations and inventories of organizational information systems (including
hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii)
establish and enforce security configuration settings for information technology products employed in organizational
information systems.
CM-1 Policy and Procedures CM-6 Configuration Settings

CM-2 Baseline Configuration CM-7 Least Functionality
CM-3 Configuration Change Control CM-8 System Component Inventory
CM-4 Impact Analyses CM-9 Configuration Management Plan
CM-5 Access Restrictions for Change CM-10 Software Usage Restrictions For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems

Contingency Planning (CP) Family

establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster
recovery for organizational information systems to ensure the availability of critical information resources and
continuity of operations in emergency situations.
CP-1 Policy and Procedures CP-6 Alternate Storage Site

CP-2 Contingency Plan CP-7 Alternate Processing Site
CP-3 Contingency Training CP-8 Telecommunication
CP-4 Contingency Plan Testing CP-9 System Backup
CP-5 [Withdrawn: Incorporated into CP-2] CP-10 System Recovery and Reconstitution For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-34, Contingency Planning Guide for Federal Information Systems
• NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities

Identification and Authentication (IA) Family

identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the
identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information
systems.
IA-1 Policy and Procedures IA-6 Authentication Feedback

IA-2 Identification and Authentication (Organizational Users) IA-7 Cryptographic Module Authentication
IA-3 Device Identification and Authentication IA-8 Identification and Authentication (Non-organizational Users)
IA-4 Identifier Management IA-9 Service Identification and Authentication
IA-5 Authenticator Management IA-10 Adaptive Authentication For the full list of controls,
SAMPLE REFERENCES
• Identity and Access Management Projects
• NIST SP 800-63 series, Digital Identity Guidelines

Incident Response (IR) Family

(i) establish an operational incident handling capability for organizational information systems that includes adequate
preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and
report incidents to appropriate organizational officials and/or authorities.
IR-1 Policy and Procedures IR-6 Incident Reporting

IR-2 Incident Response Training IR-7 Incident Response Assistance
IR-3 Incident Response Testing IR-8 Incident Response Plan
IR-4 Incident Handling IR-9 Information Spillage Response
IR-5 Incident Monitoring For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-61, Computer Security Incident Handling Guide

Maintenance (MA) Family

(i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls
on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
MA-1 Policy and Procedures MA-5 Maintenance Personnel

MA-2 Controlled Maintenance MA-6 Timely Maintenance
MA-3 Maintenance Tools MA-7 Field Maintenance
MA-4 Nonlocal Maintenance

Media Protection (MP) Family

(i) protect information system media, both paper and digital; (ii) limit access to information on information system
media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.
MP-1 Policy and Procedures MP-5 Media Transport

MP-2 Media Access MP-6 Media Sanitization
MP-3 Media Marking MP-7 Media Use
MP-4 Media Storage MP-8 Media Downgrading
SAMPLE REFERENCES
• NIST SP 800-88, Guidelines for Media Sanitization
• NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices

Physical and Environmental Protection (PE) Family

(i) limit physical access to information systems, equipment, and the respective operating environments to authorized
individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting
utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide
appropriate environmental controls in facilities containing information systems.
PE-1 Policy and Procedures PE-6 Monitoring Physical Access

PE-2 Physical Access Authorizations PE-7 [Withdrawn: Incorporated into PE-2 and PE-3]
PE-3 Physical Access Control PE-8 Visitor Access Records
PE-4 Access Control for Transmission PE-9 Power Equipment and Cabling
PE-5 Access Control for Output Devices PE-10 Emergency Shutoff For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• NIST SP 800-116, Guidelines for the Use of PIV Credentials in Facility Access

Planning (PL) Family

develop, document, periodically update, and implement security plans for organizational information systems that
describe the security controls in place or planned for the information systems and the rules of behavior for individuals
accessing the information systems.
PL-1 Policy and Procedures PL-6 [Withdrawn: Incorporated into PL-2]

PL-2 System Security and Privacy Plans PL-7 Concept of Operations
PL-3 [Withdrawn: Incorporated into PL-2] PL-8 Security and Privacy Architectures
PL-4 Rules of Behavior PL-9 Central Management
PL-5 [Withdrawn: Incorporated into RA-8] PL-10 Baseline Selection For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems
• NIST SP 800-160, Volume 1, Engineering Trustworthy Secure Systems
• NIST SP 800-160, Volume 2, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach

Program Management (PM) Family
NIST SP 800-53, Revision 5, Program Management Controls

• The PM controls have been designed to facilitate organizational compliance with applicable federal laws, executive
orders, directives, policies, regulations, and standards.
• Program management (PM) controls are implemented at the organization level and not directed at individual
systems.
PM-1 Information Security Program Plan PM-6 Measures of Performance

PM-2 Information Security Program Leadership Role PM-7 Enterprise Architecture
PM-3 Information Security and Privacy Resources PM-8 Critical Infrastructure Plan
PM-4 Plan of Action and Milestones Process PM-9 Risk Management Strategy
PM-5 System Inventory PM-10 Authorization Process For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
• NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

Personnel Security (PS) Family

(i) ensure that individuals occupying positions of responsibility within organizations (including third-party service
providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational
information and information systems are protected during and after personnel actions such as terminations and
transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and
procedures.
PS-1 Policy and Procedures PS-6 Access Agreements

PS-2 Position Risk Designation PS-7 External Personnel Security
PS-3 Personnel Screening PS-8 Personnel Sanctions
PS-4 Personnel Termination PS-9 Position Descriptions
PS-5 Personnel Transfer For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-181, Workforce Framework for Cybersecurity (NICE Framework)

PII Processing and Transparency (PT) Family
Minimum security requirements for the PT family are not included in FIPS 200. The NIST Privacy Engineering
Program provides additional resources about privacy requirements and managing privacy risk.
PT-1 Policy and Procedures PT-5 Privacy Notice

PT-2 Authority to Process Personally Identifiable Information PT-6 System of Records Notice
PT-3 Personally Identifiable Information Processing Purposes PT-7 Specific Categories of Personally Identifiable Information
PT-4 Consent PT-8 Computer Matching Requirements
SAMPLE REFERENCES
• NIST Privacy Engineering Program
• NIST IR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

Risk Assessment (RA) Family

periodically assess the risk to organizational operations (including mission, functions, image, or reputation),
organizational assets, and individuals, resulting from the operation of organizational information systems and the
associated processing, storage, or transmission of organizational information.
RA-1 Policy and Procedures RA-6 Technical Surveillance Countermeasures Survey

RA-2 Security Categorization RA-7 Risk Response
RA-3 Risk Assessment RA-8 Privacy Impact Assessments
RA-4 [Withdrawn: Incorporated into RA-3] RA-9 Criticality Analysis
RA-5 Vulnerability Monitoring and Scanning RA-10 Threat Hunting For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-30, Guide for Conducting Risk Assessments
• NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
• NIST SP 800-60, Volumes 1 & 2, Guide for Mapping Types of Information and Information Systems to Security Categories
• NIST Privacy Risk Assessment Methodology (PRAM)

System and Services Acquisition (SA) Family

(i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system
development life cycle processes that incorporate information security considerations; (iii) employ software usage and
installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect
information, applications, and/or services outsourced from the organization.
SA-1 Policy and Procedures SA-6 [Withdrawn: Incorporated into CM-10 and SI-7]
SA-2 Allocation of Resources SA-7 [Withdrawn: Incorporated into CM-11 and SI-7]
SA-3 System Development Life Cycle SA-8 Security and Privacy Engineering Principles
SA-4 Acquisition Process SA-9 External System Services
SA-5 System Documentation SA-10 Developer Configuration Management For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-70, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
• NIST SP 800-154, Guide to Data-Centric System Threat Modeling (DRAFT)

System and Communications Protection (SC) Family

(i) monitor, control, and protect organizational communications (i.e., information transmitted or received by
organizational information systems) at the external boundaries and key internal boundaries of the information
systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles
that promote effective information security within organizational information systems.
SC-1 Policy and Procedures SC-6 Resource Availability

SC-2 Separation of System and User Functionality SC-7 Boundary Protection
SC-3 Security Function Isolation SC-8 Transmission Confidentiality and Integrity
SC-4 Information in Shared System Resources SC-9 [Withdrawn: Incorporated into SC-8]
SC-5 Denial-of-Service Protection SC-10 Network Disconnect For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-41, Guidelines on Firewalls and Firewall Policy
• NIST SP 800-77, Guide to IPsec VPNs

System and Information Integrity (SI) Family

(i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection
from malicious code at appropriate locations within organizational information systems; and (iii) monitor information
system security alerts and advisories and take appropriate actions in response.
SI-1 Policy and Procedures SI-6 Security and Privacy Function Verification
SI-2 Flaw Remediation SI-7 Software, Firmware, and Information Integrity
SI-3 Malicious Code Protection SI-8 Spam Protection
SI-4 System Monitoring SI-9 [Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6]
SI-5 Security Alerts, Advisories, and Directives SI-10 Information Input Validation For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-40, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology
• NIST SP 800-177, Trustworthy Email

Module 2: The Controls and is available free of charge at https://nist.gov/rmf
Supply Chain Risk Management (SR) Family
NIST SP 800-161, Revision 1, Section 1.1

Cybersecurity Supply Chain Risk Management (C-SCRM) is a systematic process for managing exposure to
cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes,
and procedures.
SR-1 Policy and Procedures SR-6 Supplier Assessments and Reviews

SR-2 Supply Chain Risk Management Plan SR-7 Supply Chain Operations Security
SR-3 Supply Chain Controls and Processes SR-8 Notification Agreements
SR-4 Provenance SR-9 Tamper Resistance and Detection
SR-5 Acquisition Strategies, Tools, and Methods SR-10 Inspection of Systems or Components For the full list of controls,
SAMPLE REFERENCES
• NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

Conclusion
NIST SP 800-53 Key Takeaways

• Controls describe the safeguards and protective measures appropriate for achieving particular security
and privacy objectives
o Security and privacy controls build trust through functionality and assurance
o Controls selected by the Organization or System are documented in the security and privacy plans
• The neutrality of the controls provide organizations with the flexibility to identify the security and privacy
controls necessary to mitigate their risks
• Controls may be implemented by a Common Control Provider at the organization level, or by the System
Owner at the system level
o Responsibility for a Hybrid implementation may be shared between the Common Control Provider and
the System Owner

41
Supplemental Material
NIST SP 800-53 Publication

• Current revision and supplemental materials: https://csrc.nist.gov/Projects/risk-management/publications
• Resources for Implementers: https://nist.gov/rmf/sp800-53-controls
• Downloads: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/downloads
NIST SP 800-53 Public Comment Website

• https://nist.gov/rmf/sp800-53-controls
NIST RMF Publications

• https://nist.gov/rmf

42
Additional Resources
NIST Computer Security Resource Center

• https://csrc.nist.gov
Cybersecurity and Privacy Reference Tool (CPRT)

• https://csrc.nist.gov/projects/cprt/catalog#/cprt/home
National Online Informative References Program (OLIR)

• https://csrc.nist.gov/Projects/olir
Open Security Controls Assessment Language (OSCAL)

• https://nist.gov/oscal

43
You have now completed the
Security and Privacy Controls for Information Systems and
Organizations Introductory Course
Request for Feedback

If you have questions or comments regarding this Additional RMF courses
https://csrc.nist.gov/projects/risk-management/rmf-courses
course, email sec-cert@nist.gov

44

NIST SP 800-53 Introductory Course v1 Download

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NIST SP 800-53 Introductory Course v1 Download

Uploaded by

Copyright:

Available Formats

Security and Privacy Controls for

Information Systems and Organizations

Based on NIST Special Publication (SP) 800-53, Security and Privacy

This course is provided by the National Institute of Standards and Technology

This course is provided by the National Institute of Standards and Technology

Completing the entire course should take approximately 60 minutes

This course is provided by the National Institute of Standards and Technology 4

This course is provided by the National Institute of Standards and Technology 5

Target audience for this course

• Key individuals responsible for security and privacy risk

• Industry partners creating, producing, or providing

This course is provided by the National Institute of Standards and Technology 6

What are security and privacy controls?

How can security and privacy controls support risk

This course is provided by the National Institute of Standards and Technology

This course is provided by the National Institute of Standards and Technology 8

Objectives for this module

This course is provided by the National Institute of Standards and Technology 9

• Obligation imposed on organizations defined by • Capability Requirement

• Provide structure to define implementable system requirements

• Selected and implemented by the organization to achieve security and

• Can include technical aspects, administrative aspects, and physical aspects

• Neutrality enables focus on fundamental security and privacy

Security controls Privacy controls

Cybersecurity and Privacy Risk Relationship

Families are arranged

Control changes are based on:

Common (inheritable) System-specific Hybrid

Objectives for this module

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

AC-1 Policy and Procedure AC-6 Least Privilege

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

AT-1 Policy and Procedures AT-4 Training Records

For the full list of controls,

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

CA-1 Policy and Procedures CA-6 Authorization

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

CM-1 Policy and Procedures CM-6 Configuration Settings

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

CP-1 Policy and Procedures CP-6 Alternate Storage Site

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

IA-1 Policy and Procedures IA-6 Authentication Feedback

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

IR-1 Policy and Procedures IR-6 Incident Reporting

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

MA-1 Policy and Procedures MA-5 Maintenance Personnel

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

MP-1 Policy and Procedures MP-5 Media Transport

This course is provided by the National Institute of Standards and Technology

FIPS 200 Minimum Security Requirement

PE-1 Policy and Procedures PE-6 Monitoring Physical Access

This course is provided by the National Institute of Standards and Technology