An introduction to security and privacy controls
What are the NIST controls?
Federal security compliance is based on evaluating security criteria. Those criteria are a wide-ranging set of considerations called controls. The National Institute for Standards and Technology (NIST) defines these controls in a special publication (SP) called NIST SP 800-53 (Revision 5), Security and Privacy Controls for Information Systems and Organizations.
To use, buy, or build software for the government, you need authorization to operate (ATO). A huge part of that process is documenting how you are addressing the controls in your system security and privacy plan (SSPP). During the ATO process, assessors determine what controls apply to a given system. The higher the risk of the system, the more controls. Then, that system needs to document those considerations and prove that they have taken those security measures into account.
For an overview of ATOs, read An introduction to ATOs.
Why worry about controls?
Understanding the controls is an important part of the ATO process. Specifically when writing a system security and privacy plan. With hundreds of controls, approaching ATOs can be quite daunting. That’s why it’s good to start off with an overview of the controls.
The controls are grouped by topic, and those topics are called families. Next, we’ll explore each control family and what kind of considerations that control family focuses on.
Meet the family
The three-column table below lists the 20 control families alphabetically by their two-character ID (identification code). Security and compliance folks often refer to the controls by this ID. For each, the ID is linked to the full list of controls for that family.
The second column provides the full name of the control family. The third column provides a plain language description of the control to give you a feel for what kind of security concern that control family covers.
| ID | Control family | Plain language description |
|---|---|---|
| AC | Access Control | Have policies that define who can access information and systems. |
| AT | Awareness and Training | Train staff on IT safety practices, such as annual security training and phishing exercises. |
| AU | Audit and Accountability | Make sure you are creating and monitoring necessary logs and keeping records for the amount of time that they should be kept. You need policies to establish these practices and to produce evidence that you follow these actions. |
| CA | Security Assessment and Authorization | This describes most of the ATO process. |
| CM | Configuration Management | This includes policies and procedures of how software is approved and deployed. Defines who can make decisions and what policies or constraints prevent others from making unauthorized changes. Creating system inventory to document what you have and keeping that up to date. |
| CP | Contingency Planning | Being able to recover if your system goes down or isn't working. You accomplish this by having the policies, technologies, testing, and training on how to recover from your system. |
| IA | Identification and Authentication | How you verify the identity of the users of your system and how your users log into your system. |
| IR | Incident Response | Have policies and procedures to respond to a cyber attack. Have people and tools to respond to data breaches and attacks. |
| MA | Maintenance | Who is responsible for system maintenance. For example approving and monitoring security software, keeping packages up to date. |
| MP | Media Protection | Policies, procedures and tools to keep media secure. Media includes records of data, this could be a wide range of storage options, such as paper or electronic. |
| PS | Personnel Security | Policies and procedures about people's access to information and systems. Making sure people are cleared and trained to access information. People should lose system access when they leave. |
| PT | PII Processing and Transparency | When you can collect PII and how you need to protect PII. This includes giving people a privacy notice and consent to collection. |
| PE | Physical and Environmental Protection | This includes things like locking doors and keeping buildings and access to servers secure. |
| PL | Planning | Policies and procedures about System Security Plans, Rules of engagement and other planning for your system. |
| PM | Program Management | Policies and procedures about managing your broader cyber security environment. This includes things like security and privacy training, data governance and management structures. |
| RA | Risk Assessment | Determining how much risk your system presents. Evaluating what the implications are if your system went down, if data was exposed or if data was tampered with. Looking at the privacy risk of your system and looking for threats. |
| SA | System and Services Acquisition | Covers requirements for acquisition, software development and system management tools |
| SC | System and Communications Protection | Availability protections against things like DDOS. Security features like Network boundaries, encryption and DNS protections. |
| SI | System and Information Integrity | Monitoring your system to look for data breaches. |
| SR | Supply Chain Risk Management | Preventing and looking for tampering of upstream components of your system. |
You may have noticed that many of the controls require the efforts of your whole team. To get them onboard, it helps to describe the larger objectives of your policies and procedures. Taking the time to explain controls can help everyone better contribute to your system’s security and compliance. View NIST’s Cybersecurity and Privacy Reference Tool for more on control families.
Additional Resources
Note
Web Managers Community
The Web Managers Community of Practice is a group of government employees and contractors who manage government websites and digital services. They work to create a trusted, seamless online experience for all. Join the Web Managers Community.
