Rapidly advancing technological capabilities of anti-state players, diversity of threats, and risks led to the formation of NIST SP 800-53 security standards in 2005. Its latest update NIST SP 800-53 Rev 5, compiled by NIST Information Technology Laboratory (ITL) in Sept 2020, was developed to further the responsibilities under the Federal Information Security Modernization Act (FISMA). It provides an inventory of privacy and security controls for all US Federal Information Systems (FIS), barring those systems that deal with national security.
What is NIST SP 800-53?
It is an exhaustive set of privacy and security controls designed by the US Department of Commerce and the National Institute of Science & Technology to protect digital platforms, including multipurpose computing systems, smart, cloud, and mobile systems, Internet of Things devices, and industrial systems from threats and risks. These threats include but are not limited to hostile attacks, natural disasters, human errors & foreign intelligence threats. This standard was designed to integrate with other cybersecurity and risk management standards, especially fitting into the Federal Information Processing Standards (FIPS) purview. Although these controls were designed for FIS, they can be adopted by organizations that process sensitive and confidential information. The privacy and security controls of NIST security and privacy controls have been categorized into a set of 20 families. These families of control provide guidelines to organizations for classifying the types of data it creates, collect, process, store, and transmit.
Who Must Adhere to NIST SP 800-53?
These standards are mandatory for all federal information systems and organizations; they are also required for all organizations that are or want to work with federal agencies and the government. They can also be adopted by non-federal and private organizations that want a robust and secure information security framework. NIST guidelines are considered the gold standard, employing the best practices for developing, safeguarding, maintaining, and improving information systems. In addition, being NIST 800-53 compliant provides organizations with a solid framework that can be adopted to comply with other regulations, such as PCI DSS, HIPAA, GDPR, and many more.
What’s New In NIST Special Publication 800-53 Revision 5?
NIST Special Publication 800-53 has been revised five times to keep up with the latest information security and privacy. The latest update came in Sept 2020 after a gap of 7 years, and it included significant changes:
- Terminology: The term “Federal” was removed from the title, opening up the document for non-federal and private organizations. It was done to motivate them to use the standard and prescribed guidelines. “Information System” was replaced by “System,” opening up the application to various systems such as IoT devices, industrial systems, and general systems.
- Privacy: The revision has enhanced focus on privacy wherein it has unified the privacy and security controls, creating a tight control for organizations and systems. The driving force behind this is the surge of global data privacy laws like GDPR, PIPEDA, and CCPA.
- Integration: Fostering integration between different cybersecurity approaches, including NIST cyber security framework.
- Control Categories: Add various controls to address new and upcoming challenges, including controls for PII (Personally Identifiable Information) processing and transparency.
- Focus: The revision emphasizes the outcome rather than the entity implementing the control. It makes it easier for non-federal and private organizations to adopt these standards.
It is important to note that NIST 800-53 Revision 5 came after many global data privacy laws were enacted. The enhanced focus on data privacy indicates that NIST Special Publication 800-53 is looking to address these concerns. In addition, data sanitization is an essential aspect of these privacy laws and features prominently in them, so it naturally has a significant space in NIST 800-53.
Data Sanitization In NIST 800-53 Security & Control Families:
Data sanitization renders stored data on a device completely irrecoverable by any means, and it features prominently in various security and privacy controls in NIST Special Publication 800-53. Let’s take a look at the various controls and their guidelines for data sanitization:
Access Control (Section 3.1):
Information flow enforcement (AC-4)
Organizations must ensure that before the information is transferred between different security realms, data sanitization must be done to ensure that it is protected against threats related to viruses, ransomware, and any computer codes (malicious content, malicious code, and malicious code augmentation, steganography encoded data, spillage of sensitive information) that may harm or sabotage the data.
Configuration Management (Section 3.5):
Baseline Configuration (CM-2)
Organizations must ensure additional controls to devices in high-risk zones outside the organization, including reconfiguring devices to ensure their protection from threats, including computers and mobiles. For example, computer devices should have sanitized hard drives, minimal applications, and stringent settings.
Maintenance (Section 3.9):
Controlled Maintenance (MA-2)
Organizations must ensure proper equipment sanitization before leaving the premises for maintenance, repair, or replacement. In addition, the organization must define the information that needs to be sanitized.
Maintenance Tools (MA-3)
Organizations must ensure that no data remains on any equipment scheduled for maintenance; they should ensure this by sanitizing that equipment using methods advised by NIST.
Non Local Maintenance (MA-4)
Organizations preparing for off-site maintenance of their assets must ensure that data has been sanitized before it is disconnected from the system. It must also be sanitized once the scheduled maintenance has been completed to ensure no malicious or harmful software is present on it before it is plugged back into the system.
Maintenance Personnel (MA-5)
Organizations must ensure that personnel who undertake maintenance or diagnostics on the equipment must have clearance for that task. In addition, organizations must ensure data sanitization of all sensitive information before access is given to such personnel if they do not possess such clearance.
Media Protection (Section 3.10):
Media Storage (MP-4)
Organizations must have clear distinctions for the various media devices they utilize, both digital and non-digital. These media devices must be securely stored and under the physical control of the organization till the time they have reached their end of life. Once the organization no longer requires these media devices, they must be sanitized and destroyed using NIST-approved methods.
Media Sanitization (MP-6)
Organizations must employ sanitization techniques corresponding with the sensitivity and security category of the data before disposal, releasing, and reusing the media device.
The control requires organizations to apply nondestructive sanitization techniques to portable storage devices before connecting such devices to the system.
|
Non Destructive Sanitization of Portable Storage Devices
|
|
Storage Type
|
Examples
|
Sanitization Method
|
|
External
|
Peripherally Attached Storage, USB, Firewire
|
“Overwrite media using organizationally approved and tested overwriting technologies/methods/tools. The Clear procedure should consist of at least one pass of writes with a fixed data value, such as all zeros. Multiple passes or more complex values may alternatively be used.”
-NIST SP 800-88 Revision 1
|
|
Removable
|
HDD, SSD, NVMe
|
|
Optical Discs
|
Rewritable CD, Rewritable DVD, Rewritable Blu-ray Disc
|
|
Flash Storage Devices
|
Memory Card, Memory Stick, Compact Flash Drive, DRAM
|
|
Magnetic Storage
|
ATA/SCSI, Floppy Disc
|
Media Downgrading (MP-8)
Organizations looking to downgrade their media for release outside of the organization must ensure that no residual information is left on the media device. The tools employed should be decided per the media’s security category and the information’s classification status. In addition, the media’s sanitization must ensure that the information is not retrievable or cannot be reconstructed.
System and Communications Protection (Section 3.18):
Information in Shared System Resources (SC-4)
Organizations must ensure that when changes in processing levels occur due to multilevel processing or reusing hardware where classification levels are different for the user, pre-defined procedures must be in place, including sanitization of digital information.
NIST-approved data sanitization methods have been defined in NIST SP 800-88, which recommends Clear, Purge & Destroy techniques for achieving data sanitization. These must be employed based on the type of media storage and information sensitivity level. A software-based approach is recommended for achieving permanent, irrecoverable data wiping for most media devices and security levels. Using an overwriting software like BitRaser will achieve the desired data sanitization on all media devices and follow the standard prescribed by NIST.
Conclusion:
In today’s world, the greatest threats to businesses and organizations come from the digital domain and no one’s safe. Risks are abundant, and the only way to have a chance is to be prepared, and that’s where NIST SP 800-53 guidelines come in handy. Organizations must step up their stance on information security and comply with NIST if they want to stay nimble and effective. With over 1000+ controls, it has comprehensive guidelines based on FIPS 199 worst-case impact analysis, which can give any organization the knowledge and tools to counter rising cybersecurity threats, privacy breaches, malware attacks, and human errors.
+1-844-775-0101
