NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Welcome back to Cybrary. Of course, I'm your instructor, Brad Rhodes. Let's jump into NIST Special Pub 853, and these are our security controls. In this video, we're going to look at the RMF again. That probably shouldn't surprise you. We're going to talk about security controls and then we're going to do an example, application of a security control, in this case, access control. There's two charts on this particular slide.

‍

One, you should be familiar with, this is the RMF security life cycle. We talked about this. You need to memorize this chart. You need to understand that we categorize, we select, we implement, we assess, we authorize, and we monitor. You will note on this chart, each one of the areas where we're going to do that is specified in a NIST publication or a FIPS manual, and this chart is super handy because it shows you which ones apply to which of those areas. When you're thinking about the use of content and you need to say study security controls, in this case here where we're at in this particular lesson, you're going to go to NIST Special Pub 800-53. Now, the second chart on this slide is a defense-in-depth diagram. We start, and you can start at the top or the bottom. We'll start at the top. We have the perimeter or edge of our organization.

‍

Within that perimeter, we have our network which connects hosts. On the host your applications, which ultimately access data. There are security controls in 800-53 for data. There are certain controls for applications, there are certain controls for hosts, networks, and the perimeter. If you need an idea of a security control and those could be a technical control , a non-technical control, preventive, detective, whatever, you're going to find those controls in 800-53. Here are the security controls that you will find in 800-53. You'll notice there's access control, contingency, there's incident response, maintenance controls, plan and control, risk assessment, services and system acquisitions, all of these things, these are all controls.

‍

These IDs are actually tied out to very specific controls in each of these areas that you will find in 800-53. You don't need to memorize all of them. But it helps to understand that when you see something that says AU.1 control is dealing with audit and accountability, you need to know that AU is the ID for the audit and accountability category. Very important to understand each of these different IDs. Let's do a quick access control example. If you notice, here's a control number, here's the control name. This is a direct cut out of 800-53 to get you familiar with that. You can see there's lots of controls here. There's access control, there's least privilege, there is session lock, there's terminate. When you think about say harding a system, protecting a system, the controls are literally listed for you.

‍

You don't have to reinvent the wheel. It's very important to understand that NIST gives you the ability to grab controls and then figure out what you're going to use in your organization. In the access enforcement area, when we get a little deeper in there, we find things like MAC and DAC, and RBAC, and TBAC. Well, those are our access control models where when you remember, mandatory access control is it's specified for the users. Discretionary access control is that the users can specify that themselves. Role-based is unique because that's where we get to the granular level of okay, user Bob is an administrator, so he's going to get a certain set of things based on his role, and user Frank is just a power user, so he's going to get a certain amount of things.

‍

Rule-based is a little bit different than role-based. Rule-based is based on the data. What systems and what data do you need access to and why do you need access to it? Maybe that rules could be inclusive of a access at a certain time, during certain work hours, during certain shifts, so that makes the management and tracking of, say, IAAA a lot easier. Then of course, task-based. Let's say that you have somebody that you hire and what they do is babysit and run your scripts. Great, well guess what? You could give them task-based access control, so that's all they can do. Lots of ways to do that. But all of these types of controls are listed in the access enforcement control in 800-53.

‍

In this lesson, we reviewed again the RMF, that security life cycle that you should memorize that particular chart and the flow, we talked about security controls and where they come from and the types, and of course there's a laundry list of them, which is great. If you don't know where to start with security controls,  start with NIST 800-53. Then of course we talked about access control, RBAC, TBAC, the other RBAC, [LAUGHTER] a mandatory access control, discretionary access control in our access control example. We'll see you next time.