User:JustinLee1201/sandbox: Difference between revisions – Wikipedia

== ”’Purpose”’ ==

== ”’Purpose”’ ==

* ”’Originally intended for the U.S. government, NIST SP 800-53 expanded to a framework for security changes globally.<ref>{{Cite journal |last=Hoang |first=Tony |last2=Qu |first2=Yanzhen |date=2024-03-15 |title=Creating A Security Baseline and Cybersecurity Framework for the Internet of Things Via Security Controls |url=https://ejece.org/index.php/ejece/article/view/609 |journal=European Journal of Electrical Engineering and Computer Science |language=en |volume=8 |issue=2 |pages=9–16 |doi=10.24018/ejece.2024.8.2.609 |issn=2736-5751}}</ref>”’

* ”’Originally intended for the U.S. government, NIST SP 800-53 expanded to a framework for security changes globally.<ref>{{Cite journal |last=Hoang |first=Tony |last2=Qu |first2=Yanzhen |date=2024-03-15 |title=Creating A Security Baseline and Cybersecurity Framework for the Internet of Things Via Security Controls |url=https://ejece.org/index.php/ejece/article/view/609 |journal=European Journal of Electrical Engineering and Computer Science |language=en |volume=8 |issue=2 |pages=9–16 |doi=10.24018/ejece.2024.8.2.609 |issn=2736-5751}}</ref>”’

== ”’Control Baseline Levels”’ ==

== ”’Control Baseline Levels”’ ==

== ”’TCCE”’ ==

== ”’TCCE”’ ==

”’The Technical Control Compliance Evaluation checklist was created to check the reliability and validity of a framework which included NIST 800-53’s framework. Utilized a combination of 55 steps and 66 shell commands to test NIST 800-53’s 48 different controls. Ended up failing 17 controls that did not reach the standard requirement of TCCE and was left off for major improvements. NIST 800-53 was eventually used to create future security basics and different frameworks that utilized 800-53’s reliability.”'<ref>{{Cite journal |last=Hoang |first=Tony |last2=Qu |first2=Yanzhen |date=2024-03-15 |title=Creating A Security Baseline and Cybersecurity Framework for the Internet of Things Via Security Controls |url=https://ejece.org/index.php/ejece/article/view/609 |journal=European Journal of Electrical Engineering and Computer Science |language=en |volume=8 |issue=2 |pages=9–16 |doi=10.24018/ejece.2024.8.2.609 |issn=2736-5751}}</ref>

”’The Technical Control Compliance Evaluation checklist was created to check the reliability and validity of a framework which included NIST 800-53’s framework. Utilized a combination of 55 steps and 66 shell commands to test NIST 800-53’s 48 different controls. Ended up failing 17 controls that did not reach the standard requirement of TCCE and was left off for major improvements. NIST 800-53 was eventually used to create future security basics and different frameworks that utilized 800-53’s reliability.”'<ref =:2 />

== 800-53B ==

== 800-53B ==

This is a user sandbox of JustinLee1201. You can use it for testing or practicing edits. This is not the place where you work on your assigned article for a dashboard.wikiedu.org course. Visit your Dashboard course page and follow the links for your assigned article in the My Articles section.

CSF (Cybersecurity Framework) and 800-53 covered each others weaknesses with CSF having more of a top-down decision-making process and NIST SP 800-53 having a bottom-up approach. The combination provided an easier approach for developers to create a new platform and software. Usage of Extensible Markup Language (XML) helped ease the combination of CSF and 800-53 and eventually led to the creation of Baseline Tailor to help use the two security catalogs together.^[1]

The two relied on five primary functions:^[1]

• ID – Identify
• PR – Protect
• DE – Detect
• RS – Respond
• RC – Recover

• Originally intended for the U.S. government, NIST SP 800-53 expanded to a framework for security changes globally.^[2]

NIST 800-53 Low

• In the event of a security breach that resulted in minor risk, the system deploys 149 different controls and enhancements that adds security ranging from Multi-factor authentication to basic security policies.

NIST 800-53 Moderate

• In the event of a security breach that resulted in a moderate risk, the system deploys 138-287 different controls and enhancement to help combat against a more threatening attack through robust systems and advanced measures to hide important information.

NIST 800-53 High

• In the event of a security breach that resulted and reached a severe risk, the system deploys 370 different controls and enhancements to defend against even the most volatile attacks. Results in the maximum security and best systems and measures to prevent further damage to the system.^[3]

As part of the ongoing cyber security partnership among the United States Department of Defense, the intelligence community, and the federal civil agencies, NIST has launched its biennial update to Special Publication 800‐53, “Security and Privacy Controls for Federal Information Systems and Organizations,” with an initial public draft released on February 28, 2012. The 2011–12 initiative will include an update of current security controls, control enhancements, supplemental guidance and an update on tailoring and supplementation guidance that form key elements of the control selection process. Key focus areas include, but are not limited to:

• Insider threats;
• Software application security (including web applications);
• Social networking, mobiles devices, and cloud computing;
• Cross domain solutions;
• Advanced persistent threats;
• Supply chain security;
• Privacy.

Revision 4 is broken up into 18 control families, including:

• AU – Audit and Accountability
• AT – Awareness and Training
• CM – Configuration Management
• CP – Contingency Planning
• IA – Identification and Authentication
• IR – Incident Response
• MA – Maintenance
• MP – Media Protection
• PS – Personnel Security
• PE – Physical and Environmental Protection
• PL – Planning
• PM – Program Management
• RA – Risk Assessment
• CA – Security Assessment and Authorization
• SC – System and Communications Protection
• SI – System and Information Integrity
• SA – System and Services Acquisition

Information on these control families and the controls contained within can be found on the NIST website at the following link: https://nvd.nist.gov/800-53/Rev4

Network Access Control (NAC) is a tool that was utilized to help reach NIST 800-53 standards, and used the Access Control resources to help authorize devices that wished to access the network. NAC also provided an easy and adaptable control to meet any organization security needs.^[4]

NIST SP 800-53 Revision 5 removes the word “federal” to indicate that these regulations may be applied to all organizations, not just federal organizations. The first public draft was published on August 15, 2017. A final draft release was set for publication in December 2018, with the final publication date set for March 2019.” Per the NIST Computer Security Resource Center (CSRC), major changes to the publication include:

• Making the security and privacy controls more outcome-based by changing the structure of the controls;
• Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for systems and organizations;
• Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
• Eliminating the term “information system” and replacing it with the term “system” so the controls can be applied to any type of system including, for example, general-purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices;
• De-emphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
• Promoting integration with different risk management and cyber security approaches and lexicons, including the Cybersecurity Framework;
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
• Incorporating new, state of the practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.

Revision 5 built SP 800-53 to a new height after the past seven years since the last major update to NIST’s security guidelines. Further enhanced to comply with the security interests of the United States and the millions of downloads it has procured since 2013.^[5]

The control families became a larger factor after Revision 5 and have the purpose of providing safeguards and protection for accomplishing security objectives. Every control is involved in a different policy and processes used by the systems security measures. After the upgrade to Revision 5 from Revision 4, the number of control families increased from 18 to 20 with the inclusion of Personally Identifiable Information Processing and Transparency (PT) and Supply Chain Risk Management (SR).^[6]

NIST offers the power of controls to the government, but the ability to operate an ATO is required first. The usage of an ATO determines which controls are activated and utilized for the system automatically. Systems that involve greater risks to the framework, will be issued an increased number of controls to defend against outside threats. One term that is used for the controls is labeled as topics, or in other cases, Control Families.^[7]

The development of Revision 5 allows the public and private sectors to use NIST in order to control major growing threats of hostile attacks and natural disasters, reducing as much damage from attacks the moment they occur.^[8]

As of September 2019, Revision 5 was delayed due to a potential disagreement among the Office of Information and Regulatory Affairs (OIRA) and other U.S. agencies.

The final version of Revision 5 was released on September 23, 2020 and is available on the NIST website at the following link: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

NIST SP 800-53 Revision 5 is one of the main frameworks provided towards AWS’s systems. Provides a vast list of security measures and privacy requirements that every company must comply with. Revision 5 is automated within the systems to provide guidelines and system checks.^[9]

The Technical Control Compliance Evaluation checklist was created to check the reliability and validity of a framework which included NIST 800-53’s framework. Utilized a combination of 55 steps and 66 shell commands to test NIST 800-53’s 48 different controls. Ended up failing 17 controls that did not reach the standard requirement of TCCE and was left off for major improvements. NIST 800-53 was eventually used to create future security basics and different frameworks that utilized 800-53’s reliability.^[2]

NIST Special Publication 800-53B is a companion branch of Revision 5 and provides a set of baseline security controls and privacy controls for information systems and organizations. The baselines establish default controls based on FISMA rates (Privacy, Low, Moderate, and High) and can be easily tailored to organizational risk and privacy management processes.^[10]

Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results.^[11]

NIST Special Publication 800-53B was initially released in September 2020 as “Control Baselines for Information Systems and Organizations.”^[12]

NIST released SP 800-53 version 5.2.0 on August 27, 2025, to improve security and reliability of existing software to align with Executive Order 14306. Release 5.2.0 improves system and software resilience and assists in security measures. Releases 5.2.0 provides updates to SP 800-53A but no additional updates to SP 800-53B.^[13] Release 5.2.0 brought new Control Enhancements and Revisions to existing controls such as (SA-15(13), SA-24, SI-02(07) and SI-07(12)).^[14]