Using NIST 800-53 to Interpret NIST CSF

Published by Bill David

The NIST Framework for Improving Critical Infrastructure Cybersecurity, commonly known as the NIST Cybersecurity Framework (NIST CSF) has become a very popular guideline for building and improving a cybersecurity program. The NIST CSF is voluntary guidance aiming to help organizations better manage and reduce cybersecurity risk and is organized into 5 Functions (Identify, Protect, Detect, Respond, and Recover), which are defined by 23 Categories and 108 Subcategories. Each NIST CSF Subcategory is enhanced with one or more informative references. Chief among those informative references is NIST SP 800-53 Rev. 4.

About NIST 800-53 Rev. 4

NIST Special Publication 800-53 is a comprehensive catalogue of cybersecurity controls specifically designed for government agencies and associated vendors. It is commonly referred to as NIST SP 800-53 or simply NIST 800-53; its complete title is Security and Privacy Controls for Information Systems and Organizations. 800-53 has become a popular choice for organizations in search of a comprehensive control catalog.

Although NIST is working on 800-53 Revision 5, the latest official release is still Revision 4, which was published in April 2013. Because NIST 800-53 is a comprehensive standard with controls that are intended to be applied situationally based on analysis of risk, it is more granular than NIST CSF. 800-53 Rev. 4 includes 256 distinct controls and 666 control enhancements.

NIST 800-53 controls are helpful when interpreting NIST CSF

Many of the 108 Subcategories in NIST CSF are broad in their implications and require interpretation when performing an assessment of your cybersecurity program or when planning improvements. For example, PR.AC-5 (the fifth subcategory in the Identity Management, Authentication and Access Control Category in the Protect Function in NIST CSF) says, “Network integrity is protected (e.g., network segregation, network segmentation),” which could be accomplished by a number of specific controls.

The informative references listed for PR.AC-5 include three controls from NIST 800-53: AC-4, AC-10, and SC-7. Selecting and implementing from these 800-53 controls is a sound way to interpret and implement the Subcategory.

NIST CSF stats with cross-reference to 800-53 stats

The following table summarizes the count of CSF Categories, Subcategories, and 800-53 references by CSF Function.

As you can see from the table, 800-53 controls are referenced a total of 472 times across NIST CSF Subcategories. Each of those 199 distinct controls is referenced an average of 2.4 times. Out of the 256 distinct controls in 800-53, a total of 199 (78%) are named as informative references in CSF Subcategories.

Two 800-53 controls are tied as being the most referenced in CSF:

  1. 800-53 Rev. 4 CP-2: Contingency Plan is included as an informative reference for 20 NIST CSF Subcategories
  2. 800-53 Rev. 4 IR-4: Incident Handling is also included as an informative reference for 20 NIST CSF Subcategories

The CSF Subcategory with the most 800-53 references is PR.PT-4, “Communications and control networks are protected,” which refers to 21 NIST 800-53 controls.

The following table shows the count of NIST SP 800-53 Rev. 4 controls referenced in NIST CSF, organized by NIST CSF Function and 800-53 Control Families.

Using NIST 800-53 to interpret NIST CSF in Axio360

Top 3 Benefits of using 800-53 references for NIST CSF in Axio360:

  1. Axio360 allows the end user to navigate the NIST CSF Functions, Categories, Subcategories, and informative references in a seamless manner.
  2. NIST SP 800-53 Rev. 4 informative references are displayed in-line and with hyperlinks in the assessment user interface, which makes it easy to review the 800-53 control language while assessing the implementation of CSF Subcategories.
  3. The notes functionality facilitates keeping track of which 800-53 controls were used in the interpretation and scoring of each NIST CSF Subcategory.

NIST CSF Assessment Interface in Axio360 with Informative References Shown

 

How to get started with NIST CSF in the Axio360 platform

If you’d like to experience the complete functionality of NIST CSF in Axio360 and discuss your particular use case, our experts are standing by. You can book a demo here.

 

About the author:  Bill David is a Director of Cyber Risk Engineering at Axio.