Professional Documents
Culture Documents
NIST SP 800-53 Introductory Course v1 Download
NIST SP 800-53 Introductory Course v1 Download
Course Authority
Information in this course should be applied in accordance with legislative guidelines, standards,
and requirements established by the Federal Government and your organization.
In accordance with its statutory authorities, NIST maintains a research information center to support the research, publishing, and preservation needs
required to fulfill the scientific and technical mission of NIST. NIST makes its RMF Introductory Course available to interested parties as a public service.
Pursuant to 17 USC 105, works authored by NIST employees are not subject to Copyright protection within the United States; foreign rights are reserved on
behalf of the Secretary of Commerce. To the extent that NIST may hold copyright or other rights in countries other than the United States, you are hereby
granted the non-exclusive irrevocable and unconditional right to print, publish, prepare derivative works, and distribute, in any medium, or authorize
others to do so on your behalf, on a royalty-free basis throughout the world. Downloads are made available as a courtesy of NIST. Please provide
appropriate attribution to NIST, the creator of the courses.
The RMF Introductory Course is provided “AS IS.” NIST makes NO WARRANTY of any kind, express or implied or statutory, including without limitation, the
implied warranty of merchantability, fitness for a particular purpose, non-infringement or data accuracy.
Permission to use this material is contingent upon your acceptance of these terms.
Software Disclaimer
NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may
improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice
stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the
software.
NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION,
THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE
OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING
THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.
You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs
of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in
any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.
A brief overview on how to navigate through the course, when delivered via the NIST CSRC website:
• The course outline is shown in the left-hand navigation bar
• A keyword search is available, but you will only be able to access slides you have already viewed.
• The recommended use of this search function is meant for after you have completed the course and would like to refer to a particular topic.
• In the upper right-hand corner, there are two items of note: Marker Tools and Notes
• Clicking “Marker Tools” allows you to “mark up” (e.g. highlight, underline, etc) your version of the presentation slide, if you wish to do so
• Clicking “Notes” displays the written script of the audio track on that particular slide
• Under the main presentation slide, on the left-hand side:
• A Play/Pause button for the slide currently displayed
• A timer for the current slide is also displayed, as well as a replay button, volume control, and full-screen toggle button
• Under the main presentation slide, on the right-hand side:
• Navigate backward to slides you have already viewed using the “Prev” button
• Navigate forward to slides to return your current position in the course using the “Next” button
• Note that you cannot navigate forward to slides you have not yet seen
• The Accessibility icon is in the upper left-hand corner of the presentation window
At any time, you can leave the course and resume from where you left off in the
course – just be sure to enable cookies for this website in your browser.
This course is provided by the National Institute of Standards and Technology
3
and is available free of charge at https://nist.gov/rmf
Course Structure
Course Goal
Gain familiarity with the catalog of security and privacy controls including:
• Structure of the controls and the organization of the control catalog
• Relationship to other NIST technical publications that provide implementation guidance
Learning Objectives
After completing this course, you will be able to:
• Describe the purpose of security and privacy controls
• Explain how controls can support the organization risk management program
Provides
• Comprehensive catalog of security and privacy controls for any organization or system
Enables
• Efforts to meet mission, business, and legal requirements that address security, privacy, cyber supply
chain, systems security engineering, and cyber resiliency
Supports
• Risk Management Framework (RMF) Select and Implement Step tasks
• Any size organization, across any sector, and for any type of system and computing platform
NOTE
Requirements can have different definitions when used in different contexts
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
10
Lesson 1: Requirements and Controls and is available free of charge at https://nist.gov/rmf
Controls
NOTE
Organizations have the flexibility to implement the controls selected in a manner
that satisfies organizational mission or business needs consistent with laws, regulations, and policies.
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
11
Lesson 1: Requirements and Controls and is available free of charge at https://nist.gov/rmf
Security and Privacy Controls
NOTE
Controls selected to achieve both security and privacy objectives require a degree of
collaboration between the organization’s information security program and privacy program
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
12
Lesson 1: Requirements and Controls and is available free of charge at https://nist.gov/rmf
Security and Privacy Controls
Cybersecurity Privacy
Risks Risks
cyber
Associated with security- Associated with
cybersecurity related privacy events
incidents arising privacy arising from data
from loss of events processing
confidentiality,
integrity, or
availability
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
13
Lesson 1: Requirements and Controls and is available free of charge at https://nist.gov/rmf
Lesson 2: Control Structure and Organization
Control Structure
Base Control: Prescribes a security or privacy capability
to be implemented. Security and privacy capabilities are
achieved by the activities or actions, automated or AU-4 AUDIT STORAGE CAPACITY
nonautomated, carried out by systems and Control: Allocate audit record storage capacity to accommodate [Assignment: organization-
organizations. defined audit record retention requirements].
Discussion: Organizations consider the types of auditing to be performed and the audit
Organization-Defined Parameter (ODP): Identifies processing requirements when allocating audit storage capacity. Allocating suffi cient audit
[Assignment:] and [Selection:] operations to enable storage capacity reduces the likelihood of such capacity being exceeded and resulting in the
organization to define specific requirements potential loss or reduction of auditing capability.
Discussion: Explains the purpose of controls and often Related Controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, AU-14, SI-4.
includes examples Control Enhancements:
Related Controls: List of controls in the catalog that may (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
support the implementation of security or privacy Off-load audit records [Assignment: organization-defined frequency] onto a different
capability system or media than the system being audited.
Discussion: Off-loading is a process designed to preserve the confidentiality and
Control Enhancement: Identifies capabilities that integrity of audit records by moving the records from the primary system to a
augment a base control implementation, not intended to secondary or alternate system. It is a common process in systems with limited audit
be selected independently storage capacity; the audit storage is used only in a transitory fashion until the system
can communicate with the secondary or alternate system designated for storing the
References: Includes hyperlinks to publications for audit records, at which point the information is transferred.
obtaining additional information for control
Related Controls: None.
development, implementation, assessment, and
monitoring References: None.
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
14
Lesson 2: Control Structure and Organization and is available free of charge at https://nist.gov/rmf
Control Family Identification
SP 800-53 identifies
• 17 security-related areas identified in
FIPS 200 used to define control
families
• 3 additional control families (PM, PT,
SR) added since FIPS 200 was
published
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
15
Lesson 2: Control Structure and Organization and is available free of charge at https://nist.gov/rmf
Control Catalog Organization
SP 800-53, Appendix C
• Implemented By
W: Withdrawn
S: Implemented by System
O: Implemented by Organization
O/S: Combination System/Organization
• Assurance
√: Contributes to the grounds for
confidence
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
16
Lesson 2: Control Structure and Organization and is available free of charge at https://nist.gov/rmf
Control Catalog Updates
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
17
Lesson 2: Control Structure and Organization and is available free of charge at https://nist.gov/rmf
Lesson 3: Control Implementation Approaches
NOTE
If the common control provider implementation fails, it can adversely affect all dependent systems
If the system-specific implementation fails, it can expose the entire enterprise
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
18
Lesson 3: Control Implementation Approaches and is available free of charge at https://nist.gov/rmf
Lesson 4: Trustworthiness and Assurance
Security and privacy controls build trust through functionality and assurance
Functionality Assurance
• Security and privacy features • Measure of confidence of system functionality
• Functions o Implemented correctly
• Mechanisms o Operating as intended
• o Producing the desired outcome with respect to
Services
• meeting the security and privacy requirements for
Procedures
the system
• Architectures
Module 1: The Fundamentals This course is provided by the National Institute of Standards and Technology
19
Lesson 4: Trustworthiness and Assurance and is available free of charge at https://nist.gov/rmf
Module 2: The Controls
SAMPLE REFERENCES
• NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
• NIST SP 800-192, Verification and Test Methods for Access Control Policies/Models
SAMPLE REFERENCES
• NIST SP 800-50, Building a Cybersecurity and Privacy Learning Program
AU-1 Policy and Procedures AU-6 Audit Record Review, Analysis, and Reporting
AU-2 Event Logging AU-7 Audit Record Reduction and Report Generation
AU-3 Content of Audit Records AU-8 Time Stamps
AU-4 Audit Log Storage Capacity AU-9 Protection of Audit Information
AU-5 Response to Audit Logging Process Failures AU-10 Non-repudiation For the full list of controls,
control enhancements, and
details about this control
family, click the CPRT button
SAMPLE REFERENCES
• NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response
• NIST SP 800-92, Guide to Computer Security Log Management
SAMPLE REFERENCES
• NIST SP 800-37, Risk Management Framework for Information Systems and Organizations
• NIST SP 800-47, Managing the Security of Information Exchanges
• NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
• NIST SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment
SAMPLE REFERENCES
• NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems
SAMPLE REFERENCES
• NIST SP 800-34, Contingency Planning Guide for Federal Information Systems
• NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
SAMPLE REFERENCES
• Identity and Access Management Projects
• NIST SP 800-63 series, Digital Identity Guidelines
SAMPLE REFERENCES
• NIST SP 800-61, Computer Security Incident Handling Guide
SAMPLE REFERENCES
• NIST SP 800-88, Guidelines for Media Sanitization
• NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices
SAMPLE REFERENCES
• NIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• NIST SP 800-116, Guidelines for the Use of PIV Credentials in Facility Access
SAMPLE REFERENCES
• NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems
• NIST SP 800-160, Volume 1, Engineering Trustworthy Secure Systems
• NIST SP 800-160, Volume 2, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach
SAMPLE REFERENCES
• NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
• NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
SAMPLE REFERENCES
• NIST SP 800-181, Workforce Framework for Cybersecurity (NICE Framework)
Minimum security requirements for the PT family are not included in FIPS 200. The NIST Privacy Engineering
Program provides additional resources about privacy requirements and managing privacy risk.
SAMPLE REFERENCES
• NIST Privacy Engineering Program
• NIST IR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems
SAMPLE REFERENCES
• NIST SP 800-30, Guide for Conducting Risk Assessments
• NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
• NIST SP 800-60, Volumes 1 & 2, Guide for Mapping Types of Information and Information Systems to Security Categories
• NIST Privacy Risk Assessment Methodology (PRAM)
SA-1 Policy and Procedures SA-6 [Withdrawn: Incorporated into CM-10 and SI-7]
SA-2 Allocation of Resources SA-7 [Withdrawn: Incorporated into CM-11 and SI-7]
SA-3 System Development Life Cycle SA-8 Security and Privacy Engineering Principles
SA-4 Acquisition Process SA-9 External System Services
SA-5 System Documentation SA-10 Developer Configuration Management For the full list of controls,
control enhancements, and
details about this control
family, click the CPRT button
SAMPLE REFERENCES
• NIST SP 800-70, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
• NIST SP 800-154, Guide to Data-Centric System Threat Modeling (DRAFT)
SAMPLE REFERENCES
• NIST SP 800-41, Guidelines on Firewalls and Firewall Policy
• NIST SP 800-77, Guide to IPsec VPNs
SI-1 Policy and Procedures SI-6 Security and Privacy Function Verification
SI-2 Flaw Remediation SI-7 Software, Firmware, and Information Integrity
SI-3 Malicious Code Protection SI-8 Spam Protection
SI-4 System Monitoring SI-9 [Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6]
SI-5 Security Alerts, Advisories, and Directives SI-10 Information Input Validation For the full list of controls,
control enhancements, and
details about this control
family, click the CPRT button
SAMPLE REFERENCES
• NIST SP 800-40, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology
• NIST SP 800-177, Trustworthy Email
SAMPLE REFERENCES
• NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations