Organizations may benefit from greater understanding of the difference between and appropriate use of NIST 800-53 vs. NIST 800-171, especially when it comes to understanding which framework is required by law or applicable under vendor due diligence.
Marketplace Confusion: Vendor Due-Diligence Often Drives Implementation
The proliferation of NIST 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” as the de facto security framework for organizations that choose to follow federal standards or for organizations doing business with the government has created some confusion in the marketplace.
One of the primary areas of tension is vendor due diligence.
Many organizations are receiving blanket requirements from prospective clients to align with NIST 800-53. These requests are often part of a vendor management checklist that does not distinguish between organization type, associated risk, or the original intent of the NIST 800-53 framework. Clients face alignment with NIST 800-53 or risk losing work.
The blanket alignment to NIST 800-53 is likely due to lack of marketplace understanding of other options. In short, organizations have heard of and trust NIST 800-53, but they have not heard of NIST 800-171.
So which framework is right for your organization?
NIST 800-53: Federal Information Systems and Organizations
Special Publication NIST 800-53 is a 462 page framework that consist of a defined risk-based approach to building a security and privacy control framework. NIST 800-53 offers detailed guidance to security risk management and also offers a control catalog of 212 controls (the number of controls vary from 157 to 212 applicable controls based on low, medium, or high risk ranking) organizations should consider when building their own security program.
Insight: Most organizations jump straight to the 212 controls, but it may not be appropriate or feasible to align to all 212 controls. Instead, organizations should start by determining an appropriate scope and approach to designing a right-sized control framework.
While organizations can always choose to align to NIST 800-53, NIST 800-53 was designed for “Federal Information Systems and Organizations” and may not be required, feasible, or appropriate for non-federal organizations.
Insight: Some small service organizations performing relatively low-risk functions have been devastated while trying to align with NIST 800-53. Blanket requirements from clients force alignment to NIST 800-53 or risk losing business. In most situations, NIST 800-171 may be a more appropriate framework for service organizations.
NIST 800-171: Nonfederal Systems and Organizations
The purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.
Insight: If your organization stores or has access to CUI, NIST 800-171 is probably the relevant framework for your organization. If customers or prospects are asking about NIST 800-53, it may be worth a conversation to clarify which framework is appropriate for your organization and why.
Let’s Get Started
If your organization is facing challenges implementing and demonstrating compliance with NIST 800-53 or NIST 800-171 contact one of our professionals and learn more about how we can simplify the process.