Planet’s position that cybersecurity ‘compliance’ is being able to prove security to people who matter is central to this discussion. The framework of what constitutes proof within the Executive Branch of the US Federal Government is the National Institute of Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Information Systems and Organizations. NIST was first released 800-53 in 2005 and its revision 5 is the newest iteration of this publication.
NIST 800-53 is a catalog of ‘controls’ from which organizations can choose. NIST and other Executive Branch directives provide agencies and departments guidance on how to pick and even provide standardized selections for low, moderate, and high-impact information technology environments. This is the same catalog that the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) uses.
There are obvious differences between NIST 800-171 and 800-53 that start at the number of applicable controls for a low, moderate, or high impact system (FedRAMP specifies 125, 325, 421 respectively)—compared to 110 for CMMC. NIST also spreads those controls across 20 control families instead of 14. Importantly, 800-53 addresses confidentiality as well as integrity and availability of systems and data within those systems. Like CMMC, control counts are not the whole story. NIST 800-53 uses assessment procedures to evaluate whether a control is ‘satisfied’—or not. For low, moderate and high impact FedRAMP systems there are 488, 566, and 733 respectively. These counts can vary based on control selection within an organization, especially if they are not pursuing FedRAMP attestation themselves. As a rule of thumb, organizations implementing 800-53, if they must submit to 3rd party assessment or choose to do so, generally get a bit more flexibility in alternative implementations for security controls. They also tend to have a bit more flexibility in adding deficiencies to their Plan of Actions and Milestones (POAM) as well as having enduring entries on their POAMs where the organizational leadership choose to accept the residual risk of a finding.
Within the cybersecurity communities of interest, NIST 800-53 is almost universally thought of as the most thorough of all security frameworks. That thoroughness comes at the expense of resources to build and maintain a security program able to continuously satisfy 450+ to 700+ individual forms of assessment. The resources are not just administrative controls such as policies, processes, procedures, etc. There are more technical resources required to address the demands for controls supporting data integrity and data availability requirements.
Linear interpolation has no nuance while remaining useful. A NIST 800-53 Low security program will require approximately 40% more resources than a NIST 800-171. A moderate impact program requires more than 77% while a high-impact program requires 130% more resources than.
Like 800-171 and CMMC, the foundations of 800-53 remain, write what you do, do what you write, and be able to prove it. The breadth and depth of the controls are broader, more demanding, and can generally increase leadership’s confidence in the security of their information across multiple dimensions.