Standardizing Security Assessments with FedRAMP and NIST SP 800-53

Featured image of the blog post

Do you find it hard to understand NIST SP 800-53, FedRAMP and how they relate to FISMA?

If your answer is yes, you are not alone.

To help you out, we have created this simplified article where you will learn how these frameworks ensure data integrity and secure business operations.

Let’s dive right into it!

Table of Contents

  1. What is NIST SP 800-53?
  2. Assignment & Selection Statements
  3. Supplemental Guidance 
  4. Security Control Enhancements
  5. Understanding FedRAMP
  6. Managing Compliance

What is NIST SP 800-53?

NIST Special Publication 800-53 is a mandatory federal standard for federal information and information systems. This essential standard was created in response to the Federal Information Security Management Act (FISMA).

FISMA is a law enacted in 2002 to protect federal data against growing cyber threats. All federal organizations are required, by law, to implement the baseline controls suggested in NIST SP 800-53. In addition, companies delivering services to federal agencies must also implement satisfactory controls to provide a secure ecosystem — as federal contracts often require.

NIST SP 800-53 is an efficient standard with risk-based control baselines. It can be used to build a resilient infrastructure to gain customer trust and secure business operations.

You can categorize controls into 18 families, as shown in the following table.

Families to categorize a control

In addition to control families, categorization is also based on FIPS PUB 199 impact assessment. Therefore, baseline controls are provided based on three levels of impact, i.e. Low, Moderate and High. 

Controls may: 

  • Be part of all levels, such as AC-14 (Permitted actions without identification or authentication) 
  • Only have Moderate and High impact levels such as AC-12 (Session termination) 
  • Be part of different levels with additional enhancements like AC-17 (Remote access) 
  • Not be part of any level such as AC-23 (Data mining protection) 

Assignment & Selection Statements

You can use assignments and selection statements to tailor controls following business requirements or additional needs. Organization can customize their control(s) by defining the assignment provided in security controls or control enhancements. 

Organizations can tune security controls and controls enhancements on the following basis. 

  • Alignment of security posture with Organizational goals and objectives. 
  • Risk Assessments and risk tolerance  
  • Compliance with Federal laws and regulations & organizational procedures, and policies 

After determining the assignment and selection statements, the control implementation will be evaluated based on a complete set of control statements.

There is a difference in terms of the degree of flexibility that each one provides between assignment and selection statements. For example, assignments give organizations more margin for defining parameters. On the other hand, selection statements limit predefined choices and require a list of items from which an organization must choose.

In other words, assignments are like text boxes where you can input any value, while selection statements are like a drop-down list with limited options.

Example of Assignment and Selection Statements

Supplemental Guidance 

The supplemental guidance section identifies detailed information for specific security control. Using relevant information from supplemental guidance, the organization can define, develop and implement security controls.

Supplemental guidance also focuses on implementing security controls for your business requirements & risk assessments. It also provides descriptions of the control in place. Suppose guidance is not related to the full control but only to a particular control enhancement. In that case, supplemental guidance may become part of security control enhancement.

You can embed the list of related controls in the supplemental guidance section described for security controls and control enhancement.

Security Control Enhancements

The security control enhancements section relieves light on adding functionality to a control and elevating the control’s strength. However, when there is a higher likelihood of adverse organizational impact or risk assessment, it indicates the need for additions to the base control. There is where the control enhancements play their role.

You can define control enhancement in sequence to help decide on additional controls to supplement the base controls. Short subtitles for each control enhancement specify the security capability against the respective control enhancement.

Understanding FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) standardizes FISMA for federal agencies availing cloud computing services. FedRAMP reduces the cost of FISMA compliance by using a “do once, use many times” framework.

This framework standardizes security assessment, authorization, and continuous monitoring of cloud-based services. The clearly defined security controls and responsibilities will rapidly adopt cloud services throughout federal agencies. CSPs who intend to deliver services to Federal Agencies must meet the requirements of FedRAMP SAF (Security Assessment Framework).

FedRAMP Risk Management framework illustration

FISMA is the foundation of FedRAMP that requires federal agencies to make risk-based decisions for availing cloud services. Federal agencies require NIST to comply with FISMA. NIST also provides
control guidance for FedRAMP.

Both FedRAMP and NIST SP 800-53 distribute controls into three categories: High, Moderate and Low. However, of the two, FedRAMP is more stringent and specific regarding controls. This helps federal agencies utilizing cloud technologies to have more trusted SaaS, PaaS or IaaS platforms from CSPs. 

FedRAMP is also more specific than NIST while providing ASSIGNMENT details. For example, in AC-2 (j), NIST gives organizations leverage to define the frequency of accounts review. On the other hand, FedRAMP specifies account reviews (at least) annually. This trend is visible throughout FedRAMP as it provides more specific periods in assignments left to the organization’s discretion by NIST SP 800-53.  

FedRAMP also requires further control enhancements in addition to NIST SP 800-53 requirements. For example, CA-07 (Continuous Monitoring) requires monthly scans for OS, Database and Web Applications. Moreover, it also requires annual scans by an independent assessor. 

Managing Compliance with StandardFusion

A close review of FedRAMP shows that it mandates additional control requirements for more than 50 controls in just the Moderate Impact Level. Meeting FedRAMP or NIST SP 800-53 control requirements is undoubtedly challenging but is ultimately required by FISMA. Furthermore, managing hundreds of controls, let alone compliance, is near impossible with spreadsheets and manual documents.

Want easier compliance?

Save yourself the headache of manually managing GRC, schedule a demo with our team, and see how you can streamline NIST SP 800-53 and FedRAMP compliance.

StandardFusion makes it easy to manage information security risks and compliance with multiple regulations. With our software, users can develop common controls and map them to countless regulatory requirements, risks, and tasks, reducing redundancies across the board.

Define your control enhancements, set their implementation, and continuously monitor your assets in a single system of record.