NIST SP800-53 Rev. 3: Risk Management Framework Underpins the Security Life Cycle

The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53 provides a unified information security framework to achieve information system security and effective risk management across the entire federal government. In this second of four articles about the latest revision of this landmark Special Publication from the Joint Task Force Transformation Initiative in the Computer Security Division of the Information Technology Laboratory, Paul J. Brusil reviews the framework for risk management offered in SP 800-53 Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3 which was prepared by a panel of experts drawn from throughout the U.S. government and industry. Everything that follows is Brusil's work with minor edits.

* * *

The Risk Management Framework in SP 800-53 (Chapter 3) evokes the use of NIST document SP 800-39, Managing Risk from Information Systems: An Organizational Perspective to specify the risk management framework for developing and implementing comprehensive security programs for organizations. SP 800-39 also provides guidance for managing risk associated with the development, implementation, operation, and use of information systems.

Part 1: NIST SP800-53 Rev. 3: Key to Unified Security Across Federal Government and Private Sectors

The risk management activities within the Risk Management Framework include the six steps of:
1) Categorizing information and the information systems that handle the information.
2) Selecting appropriate security controls.
3) Implementing the security controls.
4) Assessing the effectiveness and efficiency of the implemented security controls.
5) Authorizing operation of the information system.
6) Monitoring and reporting the ongoing security state of the system.

The risk management activities are detailed across several NIST documents (as identified in SP 800-53, Figure 3-1), of which SP 800-53 is only one. SP 800-53 focuses primarily on step (2): security control selection, specification and refinement. SP800-53 is intended for new information systems, legacy information systems and for external providers of information system services.

To start the risk management process, each organization uses other mandatory, NIST-developed, government standards. One standard helps to determine the security category of each of an organization's information and information systems. The other standard is used to designate each information system's impact level (low-impact, moderate-impact or high-impact). The impact level identifies the significance that a breach of the system has on the organization's mission. These other standards are Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems and FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. Companion guidelines in another NIST recommendation, SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Rev. 1,> facilitate mapping information and information systems into categories and impact levels. SP 800-53 summarizes the categorization activities in Section 3.2.