NIST SP 800-53: CMMC’s Hidden Standard

The long and winding road from CMMC to NIST SP 800-171 to NIST SP 800-53

Released as a set of minimum controls enabling compliance with the Federal Information Security Modernization Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 now has the spotlight shining on it again. Although the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) doesn’t mention it, NIST 800-53 is the hidden standard that helps meet CMMC Level 3 certification. Using NIST 800-53 and NIST 800-171 as the baseline, the primary objective of CMMC is to consolidate the two security catalogs into a single measurable framework.

What is NIST SP 800-53?

According to Originally to 800-53’s “Purpose and Applicability” section, the publication helps organizations identify and implement a minimum set of privacy and security controls. These minimum baselines can be used with the Risk Management Framework (SPI 800-37), Cybersecurity Framework (NIST CSF), or Privacy Framework (NIST PF).

NIST SP 800-53 contains twenty control families:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Assessment, Authorization, and Monitoring
5. Configuration Management   
6. Contingency Planning
7. Identification and Authorization
8. Incident Response
9. Maintenance
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Program Management
14. Personnel Security
15. Personally Identifiable Information Processing and Transparency
16. Risk Assessment
17. System and Services Acquisition
18. System and Communications Protection
19. System and Information Integrity
20. Supply Chain Risk Management

How to get from CMMC to NIST 800-53

Even though CMMC never mentions NIST 800-53, the long and winding road is typical of government regulations and standards.

According to the website, CMMC is an attempt to build upon the existing Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Any member of the Defense Industrial Base (DIB) that wants to bid on a DoD contract needs to comply with DFARS. DFARS 252.204.-7012(b)(2)(ii)(A) defines “adequate security” for covered contractor information systems as the control listed in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

CMMC also references NIST 800-171. CMMC Level 3 requires DIB contractors to meet all the NIST 800-171 requirements. Within NIST 800-171 is where we find 800-53 buried. The cautionary note on page vi of NIST 800-171 states that “the requirements recommended for use in this publication are derived from CIPS 200 and the moderate security controls baseline in SP 800-53.”

In other words, just like all roads once led to Rome, all CMMC and DFARS compliance roads lead to 800-53.

Why is NIST 800-53 hard to implement?

Companies trying to meet NIST 800-53 baselines often find section 3.5, “Configuration Management,” the most challenging. This control family consists of 14 categories of controls, totaling 56 controls.

NIST 800-171 only lists 9 security requirements. However, embedded in those 9 are 800-53’s 14 control categories and 56 controls. In other words, NIST 800-171, which is CMMC Level 3 compliance, squashes many requirements into a tiny, not-so-neat package.

For example, CM-6 “Configuration Settings” in NIST 800-53 requires companies to:

• establish and document configuration settings for components 
• implement the configuration settings
• Identify, document, and approve and deviations
• Monitor and control changes to the configuration settings

The section below explains that the established benchmarks can be found for the following:

• mainframe computers 
• servers
• workstations
• operating systems
• mobile devices
• input/output devices
• protocols
• Applications

Additionally, the parameters that impact the benchmarks include:

• registry settings
• account, file, or directory permission settings 
• settings for functions, protocols, ports, services, and remote connections
• Access controls
• Data processing preferences
• Processing and retention permissions

Even more concerning, this is just 1 of the 56 controls in the Configuration Management control family. In other words, organizations that need to meet compliance have to put a great deal of work into each of these 56 controls, and that’s still only one control family out of twenty. 

ConfigOS: Automation that gets you compliant, fast. 

The good news is that NIST 800-53’s Configuration Management control family also notes that automation support enables currency, completeness, accuracy, and availability of the system’s baseline configurations. SteelCloud’s ConfigOS enables organizations to achieve compliance fast while reducing the staffing and time costs associated with system hardening. 

Our automated tool scans your systems against the Security Technical Implementation Guide (STIGs), tells you the number of compliant controls you have in place, remediates any non-compliant configurations, and allows you to document your waivers for easier review in the future. ConfigOS provides easy-to-use automation that not only gets you compliant but keeps you compliant. 

For more information about how SteelCloud’s ConfigOS can harden your systems and keep you compliant, contact us for a demo today.