NIST 800-53: Gateway to a global success strategy

A core objective established for FedRAMP 20x, as detailed within this post by Karen Laughton (EVP, Advisory Services, Coalfire), includes leveraging existing commercial standards to pave an easier and cheaper path for Cloud Service Providers (CSPs). While this may be a lofty goal, the PMO is hurtling towards completing the pilot program for low impact CSPs by the end of 2025.

However, this does not mean that every organization with a commercial compliance program is a shoo-in to achieve success via this program.  While every cybersecurity scheme may contain the essential elements for Governance, Risk and Compliance, the prescriptiveness and audit stringency of a regulatory framework requires a far more resilient approach than “industry best practice”. Enter, NIST 800-53 rev 5.

Enhancing commercial frameworks

The globally popular Information Security Management System standard, ISO/IEC 27001:2022 provides a risk-based approach to design, implementing and managing information security controls, and provides a selection menu within its Annex A that only briefly describes the controls. Ideally, the accompanying ISO/IEC 27002:2022 “Information security, cybersecurity and privacy protection — Information security controls” document should be consulted to establish a conformant management system. Instead, organizations should consider the adoption of the very prescriptive NIST 800-53 rev 5 control requirements as the depth of implementation for applicable controls, to establish a singular GRC program that offers strong governance, and security best practices that extend far beyond the guidance within ISO/IEC 27002:2022.

With the industry trending squarely towards establishing measurable Key Security Indicators (KSIs), NIST 800-53 rev 5 also provides for a wide choice of measurable controls that can help fulfill the requirements of Clause 9.1 “Monitoring, measurement, analysis and evaluation” of ISO/IEC 27001:2022. 

Automation in Continuous Monitoring, another key tenet of FedRAMP 20x, may yet serve as the biggest challenge to this pilot vision. One can acknowledge this being the most mature state of security operations for any organization, and possibly the most expensive. However, the idealized governance model of the ISMS standard offers direction for top management to plan, direct, support and improve operations to achieve this desired state. {Clause 5, Clause 9 of ISO/IEC 27001:2022} 

The inherently deep relationship between AICPASOC 2 Trust Services Criteria and ISO/IEC 27001:2022 ensures organizations can then easily leverage the established governance practices, and the strong security baseline to identify organizational controls that will be represented within the independent service auditor’s report.

In a similar vein, the CSA: STAR Cloud Control Matrix (CCM) has direct mappings to NIST 800-53 rev 5, paving the path to demonstrating global regulatory compliance. The recognition of the CSA CCM by Italy’s ACN as a minimum security baseline, and the CSA STAR level 2 certification as demonstrable evidence of compliance for critical and strategic suppliers is another strong argument in support of higher security baselines.

Global regulatory

Empirical evidence suggests that high security baseline requirements worldwide are either directly mapped or derived from NIST 800-53, owing to the sheer coverage of information security for various types of systems and the very prescriptive approach to reduce vulnerabilities. 

Australian Signals Directorate’s Information Security Manual (ISM) that supports the regulatory requirement Infosec Registered Assessors Program (IRAP) is a direct descendant of NIST 800-53 rev 5, with further parallels to the FedRAMP program reflected within the requirements to achieve Authority to Operate (ATO). Taking a step further, the Government of Canada pays homage to NIST 800-53 (albeit rev 4) and FedRAMP as the inspiration to its scheme for acquiring cloud computing services – Canadian Center for Cyber Security (CCCS) Cloud Security Profiles.

Exploring further, the cybersecurity requirements for public sector cloud services across more jurisdictions, such as Japan’s Information Security Management Assessment Program (ISMAP), Singapore's Multi-Tier Cloud Security (MTCS) can all be traced back to NIST 800-53 roots, along with a requisite governance scheme like ISO/IEC 27001:2022 helping pave the administrative support expected by the respective authorities.

As these worldwide schemes continue to model after the United States, the vision established with FedRAMP 20x should have downstream effects across the globe, particularly regarding automation, continuous monitoring and managing significant changes. 

Conclusion

While there may still be elevated initial investment in tools and technologies particularly, the value of reducing incidents, increasing GRC maturity to make the offering more attractive to all buyers, and the opportunity to qualify for public sector services around the world should compel organizations to consider the ideas explored above. The logical approach for any organization running a commercial program would be to quickly compare/contrast against the NIST 800-53 rev 5 requirements, to establish a roadmap to mature towards. 

The traditional approach of maintaining multiple GRC teams to support commercial and regulatory frameworks has often been a significant detractor for many organizations, raising the barrier to entry for public sector offerings. However, with the piloting of a slimmed down approach to CSP onboarding, and the synergies anticipated with commercial frameworks, organizations should look to embrace a true best of breed approach to Governance, Risk Management and Compliance to be a worldwide supplier.