Interview

nist 800-53 interview questions

Michael James

In this article, we are going to discuss controls in the context of any variation of the NIST 800-53 and NIST 800-171 requirements. NIST SP 800-53 provides us with a fundamental understanding of how government and many commercial organizations structure control language. If you work within the government sector, you have most likely come across NIST 800-53 in different forms such as CNSSI 1253, internal DoD A&A Process, industry-wide FedRAMP, and even the emerging A&A processes around cATO, cRMF, FastATO, Accelerated ATO, and our very own micro layered ATO for the cloud. These are all derivative works of NIST SP 800-53. We can take it even one step further as many of the industry frameworks such as PCI-DSS, HITRUST, FFIEC-CAT, etc. essentially look to NIST as the industry authority when it comes to defining information security structures, strategy, and information assurance systems.

If you work within Defense Industry Base (DIBs) and you have to comply with CMMC 2.0, NIST-171, and/or DoDAM guidance, understanding the control structure and assessment procedure anatomy is important to prepare yourself for an external audit.

Therefore, it is key for Compliance-as-Code Professionals, developers, compliance professionals, and cyber professionals to really understand controls at a foundational level. A control has two main parts, the control itself and the test or assessment procedures associated with the control.

Control families are the starting point. All controls are part of their respective control family. These families are the same for the NIST SP 800-53, NIST SP-171, and CMMC 2.0 Frameworks.

The NIST SP 800-53 Rev 5 has 20 control families. These families provide the basic context on the control language.

The second part, and many times the most often forgotten part, are the test cases or assessment procedures. This is sometimes referred to as the “Alpha” document because all the test cases are documented within the NIST SP 800-53 A or NIST SP 800 171 A special publications.

The assessment guide contains assessment procedures. The assessment procedures all start with “Determine if:” The language here is very similar to the control language itself except that it has been converted into an audit and assessment question through the use of determination statements.

Assessment Methods and Objects provide the auditor with a view into what type of documentation to examine, who to potentially interview, and what type of technical tests to conduct as evidence of compliance.

A fundamental difference between NIST 800-53 controls and ALL the other frameworks out there is that NIST forces measurements directly into the control structure and assessment procedures, whereas other frameworks utilize outside supplementary guidance or bake it into procedural documents. These measurement criteria are normally captured within the {Organizational Parameters} area. This is unique to the NIST 800-53 way of describing control language. Organizations (public and private) leverage some, or all parts of these controls, in different ways when organizing their risk management processes.

Why Is NIST 800-53 So Important?

NIST 800-53 is important because it was designed to keep information safe and secure for governmental agencies. Everything from global viruses to increasingly sophisticated hacking plots have made it necessary to create and implement extensive security measures. NIST 800-53 focuses on the central idea of building information systems correctly and then providing continuous monitoring. If these two basic steps are taken, risks to information systems are significantly lowered. There are several specific reasons why following the guidelines is important.

  • Complying with NIST 800-53 will also help an organization meet other compliance obligations such as FISMA.
  • Complying with NIST 800-53 advances technology and increases our overall economic security.
  • Complying with NIST 800-53 will provide exceptional security for all data and information systems within an organization.

    • How Do You Implement NIST 800-53?

    Before knowing the requirements and how to implement them, it’s important to understand how NIST 800-53 is categorized. First, there are three different security control levels. These include the following impact levels: High Impact Baseline, Medium Impact Baseline, and Low Impact Baseline. There are also three types, and this includes the following:

  • Common – These are controls that are used throughout the company.
  • Custom – These are customized to a particular device or application.
  • Hybrid – This is a control that a company customizes for their specific organization.

    • The following are the specific steps that need to be taken when implementing NIST 800-53.

  • Categorize Information – What data and information needs to be secured and how should this information be organized? This is the first question an organization should ask.
  • Select Controls – This phase includes selecting different types of security for each category. The goal at this stage is to select controls that minimize risk and are as easy as possible for employees to understand and follow.
  • Implement Controls – A detailed plan should be created specifying how, when, who, etc., to put the controls into practice. This will likely be a detailed plan that everyone in management will need to be on board with.
  • Assess Controls – This step involves assessing the performance of all security controls and making any necessary changes. This step will need the advice and guidance of IT professionals.
  • Authorize Systems – Authorize assets and personnel involved in the security system. It’s important to know who in an organization should have access to each level of security and the information included at that level.
  • Monitoring – Ongoing monitoring is the last step in the process. This is not a one-time solution. Different types of monitoring will need to be put in place and then it should be determined how often each type of monitoring should occur. An accurate record-keeping and reporting system is crucial for successful monitoring.

    • The requirements for NIST 800-53 in these guidelines cover over 200 controls in 18 specific areas. Each of these areas is known as “control families.” Each of the 18 areas has acronyms such as AC for Access Control and CP for Contingency Planning. According to the NIST websites, the following are each of the 18 areas and some of the control requirements in each category.

  • Access Control (AC) – There are 25 specific controls in this category. A few include providing security for information sharing, security for access control for mobile devices, security for wireless and remote access, and security for information flow enforcement.
  • Audit and Accountability (AU) – There are 16 controls in the Audit and Accountability family. These include making sure audit review, analysis, and reporting are all secure. It also includes items such as audit record retention, audit generation, and response to audit processing failures.
  • Awareness and Training (AT) – The awareness and training category has 5 controls. Privacy and security controls must be implemented for awareness training, role-based training, training records, contacts with security groups, and awareness and training policies and procedures.
  • Configuration Management (CM) – This area has 11 controls. Providing security for configuration settings, security impact analysis, user-installed software, and software usage restrictions are a few in this category.
  • Contingency Planning (CP) – Contingency planning has 13 controls that need to be secured. A few include the contingency plan, contingency training, an alternate storage site, telecommunications services, and alternate communications protocol.
  • Identification and Authentication (IA) – This control family includes 11 specific areas involving items such as identifier and authentication management, authenticator feedback, and device identification and authentication.
  • Incident Response (IR) – There are 10 privacy and security controls for this section. Security and privacy must be met for incident response training, testing, handling, monitoring, and reporting.
  • Maintenance (MA) – There are 6 maintenance controls that must be secured. These include policies and procedures, controlled maintenance, maintenance tools, nonlocal maintenance, maintenance personnel, and timely maintenance.
  • Media Protection (MP) – Security and privacy for media protection list 8 controls. A few include media access, storage, sanitization, media use, and media downgrading.
  • Personnel Security (PS) – There are 8 controls in this section. These include security processes involved in screening, designation, transfer, and termination of employees. It also includes access agreements, third-party personnel, and personnel sanctions.
  • Physical and Environmental Protection (PE) – There are 20 control obligations that fall under this section. A few include security plans surrounding the potential need for emergency power and lighting, water damage and fire protection, visitor controls, and all visitor access records.
  • Planning (PL) – Planning has 9 controls. An organization needs to provide security and privacy controls for sections such as systems security plans, rules of behavior, privacy assessments, and central management.
  • Program Management (PM) – The program management family lists 16 controls that need securing. A few of these include information security resources, critical infrastructure plan, risk management strategy, and threat awareness program.
  • Risk Assessment (RA) – This section has 6 controls. A few include risk assessment, security categorization, risk assessment update, and vulnerability scanning.
  • Security Assessment and Authorization (CA) – There are 9 controls in this family. This would include creating and implementing security assessments, determining the effectiveness of security controls, and assigning roles in the process.
  • System and Communications Protection (SC) – There are 44 security and privacy controls for this section. A few of the specific areas that are covered include cryptographic protection, application partitioning, and information in shared resources.
  • System and Information Integrity (SI) – This section has 17 controls. Flaw remediation, malicious code protection, spam protection, error handling, and information output filtering are a few that need privacy and security controls provided.
  • System and Services Acquisition (SA) – This family of controls has 22 specific control areas. Security and privacy controls need to be in place for areas such as developer provided training, customized development of critical components, security engineering principals, and user-installed software.

    • Is it ok to use a password manager?

    While using a password manager for your personal online accounts is a terrific way to stay secure, remember to check your company’s policies before using any software at work.

    Password managers can help you to store your passwords as well as help you to generate unique ones for each site. However, keeping all your passwords in one place is risky. It’s important to understand how your passwords are protected and if they are encrypted. There are various commercial products available that work with multiple devices and browsers, so do your research to find one that best meets your needs.

    A fundamental difference between NIST 800-53 controls and ALL the other frameworks out there is that NIST forces measurements directly into the control structure and assessment procedures, whereas other frameworks utilize outside supplementary guidance or bake it into procedural documents. These measurement criteria are normally captured within the {Organizational Parameters} area. This is unique to the NIST 800-53 way of describing control language. Organizations (public and private) leverage some, or all parts of these controls, in different ways when organizing their risk management processes.

    In this article, we are going to discuss controls in the context of any variation of the NIST 800-53 and NIST 800-171 requirements. NIST SP 800-53 provides us with a fundamental understanding of how government and many commercial organizations structure control language. If you work within the government sector, you have most likely come across NIST 800-53 in different forms such as CNSSI 1253, internal DoD A&A Process, industry-wide FedRAMP, and even the emerging A&A processes around cATO, cRMF, FastATO, Accelerated ATO, and our very own micro layered ATO for the cloud. These are all derivative works of NIST SP 800-53. We can take it even one step further as many of the industry frameworks such as PCI-DSS, HITRUST, FFIEC-CAT, etc. essentially look to NIST as the industry authority when it comes to defining information security structures, strategy, and information assurance systems.

    The assessment guide contains assessment procedures. The assessment procedures all start with “Determine if:” The language here is very similar to the control language itself except that it has been converted into an audit and assessment question through the use of determination statements.

    If you work within Defense Industry Base (DIBs) and you have to comply with CMMC 2.0, NIST-171, and/or DoDAM guidance, understanding the control structure and assessment procedure anatomy is important to prepare yourself for an external audit.

    Control families are the starting point. All controls are part of their respective control family. These families are the same for the NIST SP 800-53, NIST SP-171, and CMMC 2.0 Frameworks.

    FAQ

    What are the NIST 800-53 technical controls?

    The NIST 800-53 is a cybersecurity standard and compliance framework developed by the National Institute of Standards in Technology. It’s a continuously updated framework that tries to flexibly define standards, controls, and assessments based on risk, cost-effectiveness, and capabilities.

    How many controls are there in NIST 800-53 moderate?

    What are the NIST 800-53 control families?
    • Access Control. …
    • Awareness and Training. …
    • Audit and Accountability. …
    • Assessment, Authorization and Monitoring. …
    • Configuration Management. …
    • Contingency Planning. …
    • Identification and Authentication. …
    • Incident Response.

    How many controls does 800-53 have?

    NIST SP 800-53 has had five revisions and is composed of over 1000 controls. This catalog of security controls allows federal government agencies the recommended security and privacy controls for federal information systems and organizations to protect against potential security issues and cyber attacks.

    No related posts.

    Related Posts

    Interview

    Master the Art of Requesting a Reference: Craft Compelling Emails that Open Doors

    quydp
    Interview

    Ace Your Medical Scribe Interview: A Comprehensive Guide

    quydp

    Leave a Reply

    Your email address will not be published. Required fields are marked *