NIST SP 800-53

National Institution of Standards and Technology (NIST) Special Publication 800-53 r4, entitled Security and Privacy Controls for Federal Information Systems and Organizations, provides a catalog of controls that support the development of secure and resilient federal information systems. It is published by the National Institute of Standards and Technology (NIST), which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and to help with managing cost-effective programs to protect their information and information systems.

NIST Special Publications (SPs) are developed and issued by NIST as recommendations and guidance documents. NIST SP 800-53A, Revision 4 is part of the Special Publication. NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations.

The Department of Defense (DoD) issued a final rule on November 18, 2013, to amend the Defense Federal Acquisition Regulation Supplement (DFARS) with the addition of Subpart 204.732, Safeguarding Controlled Unclassified Information (CUI), and an associated contract clause, DFARS 252.204-7012. The rule applies to all new DoD solicitations, contracts, and newly modified existing contracts which involve CUI resident on, or transiting through, contractor unclassified information systems. The rule affects all DoD contractors and subcontractors, including vendors of commercial goods, as well as DoD personnel carrying out activities involved with the Federal Acquisition Regulation (FAR) system.

The primary objectives of the rule are to 1) strengthen DoD’s data security requirements for controls that govern access to CUI on DoD contractor information systems, and 2) impose new reporting and damage assessment requirements in the event of cyber incidents which involve possible unauthorized access, disclosure, manipulation, or any loss or compromise of CUI on contractor systems. CUI is information which is not classified under Executive Order 13526 or the Atomic Energy Act, but still requires safeguarding and controls due to its potential to threaten national security, adversely affect government function, and/or negatively impact the public were the information to be made available to the wrong parties.

Our NIST assessments evaluate and document your organization's adherence to security controls recommended by NIST SP 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations. Our RMF Pros use an industry-standard 5-level rating scale to evaluate organizational compliance.

Upon completion of our assessment, we compile interviewee responses, collect statistical samples, verify evidence artifacts, grade the current status of IT Security policies and controls against published control baselines, and provide recommendations to improve organizational compliance. Our report provides a brief background of NIST SP 800-53, describes the methodology used to perform an independent assessment, identifies findings, and includes detailed information (graphs, tables, and reports) involved in addressing the current status of security controls to prevent unauthorized access to media, systems, devices, and supporting systems used for the storage, transfer, and/or processing of data.

IT Risk Pros offers years of experience assisting government contractors of all sizes to secure their information infrastructure using NIST standards. From risk and gap analysis, to developing a roadmap to compliance and even providing implementation assistance, our IT Risk Pros will lead you throughout the entire cybersecurity lifecycle.

Call IT Risk Pros today at 888.811.RISK (7475), or email us at to discuss your NIST SP 800-53 compliance needs with an experienced auditor and consultant.