The new NIST 800-53 Rev 5 has over one thousand controls.
Let that sink in - over one thousand individual controls.
Of course, as the sophistication of cyber-attacks has increased over the years, there is a need to raise the requirements and controls for federal information security, including the effective management of security controls for each information system. However, the control set has expanded significantly since its initial publication, leaving many teams scrambling to meet the new requirements of NIST SP 800-53. Many of these teams rely on the NIST 800 53 controls spreadsheet and too often manage their assessments out of spreadsheets.
With the complexity of the 800-53 control set, security leaders could be wasting valuable time and effort by not implementing a platform to help streamline the process. For guidance on assessing compliance and understanding the role of authorization in the NIST 800-53 assessment process, see the NIST 800-53 Control Assessment Questions.
NIST Special Publication 800-53 (SP 800-53) is a foundational resource for organizations seeking to implement robust security and privacy controls for information systems and organizations. As a comprehensive control catalog, SP 800-53 provides detailed guidance on the selection and implementation of controls for information systems, ensuring that both security and privacy objectives are met. The latest revision, SP 800-53 Rev. 5, released in September 2020 and updated as of December 10, 2020, reflects the evolving landscape of cybersecurity risks and technology. This revision includes updates that address new threats and provide organizations greater flexibility to tailor controls to their specific needs.
SP 800-53 Rev. 5 is widely recognized across the cybersecurity community and is referenced in numerous frameworks and compliance programs, including the FedRAMP security controls baseline. The publication emphasizes both the functionality and assurance of security and privacy controls, helping organizations build trustworthy information systems. By following the control catalog outlined in SP 800-53, organizations can better manage risks, achieve compliance, and support the ongoing assurance of their security and privacy programs.
During the assessment itself, we have seen teams working out of spreadsheets tackle the division of labor in two ways: either breaking down the control set and distributing a separate spreadsheet to assessors, or running the same spreadsheet, possibly via a file-sharing service.
Cloud service providers, particularly those seeking FedRAMP compliance, also encounter these spreadsheet-related challenges when managing NIST 800-53 controls. The FedRAMP Program Management Office updated the FedRAMP documentation and templates to reflect the changes in NIST SP 800-53 Rev. 5.
Significant adverse ripple effects result from both approaches, which we will address in the post-assessment analysis and reporting phases. However, working in spreadsheets results in the same static, potentially disjointed efforts that many users of GRC cybersecurity systems encounter. From our conversations with customers who forewent purchasing a GRC and ran spreadsheets until they started using CyberStrong, many information security leaders didn’t see a process difference between spreadsheets and legacy GRC tools. Especially in the assessment phase, whether the control set is broken up or not, the overlap between a spreadsheet and a GRC is eerily similar.
The silos and incongruencies result in wasted time and effort on the part of assessment teams. However, using an integrated solution like CyberStrong can enable teams to collaborate and conduct the cyber risk assessment in a single source of truth. Individuals across IT risk, compliance, vendor risk, and audit can add valuable assessment information to the platform without fragmenting the assessment.
Whether an organization that uses spreadsheets decides to tackle an 800-53 assessment, some effects appear in the aggregation and analysis of the results post-assessment.
In the case where an organization broke down the 1000+ controls into separate spreadsheet documents for each team to work on, the challenge of aggregation is clear: compiling what can be tens of spreadsheets into a single document, while also needing to chase down each document at the due date.
Supplemental material, such as additional documentation or resources, is often referenced during aggregation and analysis to provide further context or ensure the accuracy of assessment results.
In cases where we work off a single spreadsheet passed around, we have seen and heard a few stories where this has worked seamlessly. Instead, the version control nightmare scenario kicks into effect, and suddenly hundreds of emails have to be sifted to determine the most up-to-date version of the document. When organizations use a file-sharing service like Box or SharePoint, the risk exists that the most up-to-date version is not even in the shared location.
Rather than tasking managers with chasing down multiple documents and sending the time aggregating or checking a single document for accuracy, CyberStrong streamlines the entire process by allowing teams to work across the organization from a single location and deliver automated reporting without aggregation. This saves managers time on the backend and improves the efficiency of cyber risk analysis.
Finally, moving up the chain of command, reporting on the assessment and the more excellent program's health to business-side leadership. The value of an assessment is inversely correlated with the time that has passed since the assessment was completed. The nature of assessments conducted in spreadsheets and legacy GRC systems is that they are essentially outdated as soon as they are completed. Then layer on top of the amount of time it takes to process (as discussed in part two), and the assessment is almost useless.
Many organizations have been aiming for continuous assessment for years. However, frankly, the technology did not exist to feasibly support the dedication required to implement continuous assessment at scale. Spreadsheets, as we have seen, are too sporadic, and modular GRC systems lack the technology to support the integrated approach necessary to achieve it.
NIST Special Publication 800-53 Revision 5 integrates security and privacy controls into a single, comprehensive catalog and shifts the focus to outcome-based controls. The structure of NIST 800-53 Revision 5 is designed to manage risk through a robust Risk Management Framework (RMF).
Now, though, CyberStrong enables automated risk assessments using deep integrations that update control scores in real-time using existing tech stack data from solutions already in use within an information security program. Furthermore, CyberStrong's fully customizable Executive Cybersecurity Dashboard provides real-time insight into the information security program posture.
To learn more about CyberStrong, which can save your cyber risk management plan, click here to schedule a conversation
As organizations grow and their information systems become more complex, managing the extensive set of NIST SP 800-53 controls presents significant challenges. The sheer volume of controls—now exceeding 1,000—can overwhelm even the most experienced security and privacy teams. This complexity is further compounded when organizations attempt to manage their security and privacy programs using traditional tools like spreadsheets.
Spreadsheets, while familiar, are not designed to handle the dynamic and collaborative nature of modern privacy programs. When multiple teams are involved in assessments, working with different data formats and large datasets can quickly lead to confusion and errors. The lack of real-time collaboration and the risk of working with outdated information can undermine the effectiveness of security and privacy controls, increasing the risk of non-compliance and security incidents. As a result, organizations may find their assessment processes are inefficient, their data is fragmented, and their ability to respond to emerging risks is compromised. To keep pace with the demands of NIST SP 800-53 and ensure that security and privacy controls are appropriately managed, organizations need solutions that support scalability, collaboration, and consistency across all assessments.
To overcome the limitations of spreadsheets and support the entire security and privacy control lifecycle, organizations are turning to integrated platforms that facilitate automation, collaboration, and improved data visualization. These platforms are designed to handle the complexity of SP 800-53, enabling teams to manage assessments, implementation, and ongoing compliance from a single, unified environment.
By leveraging an automated platform, organizations can streamline communication and ensure that all stakeholders are aligned throughout the assessment process. Support for multiple data formats, including comma-separated values and traditional spreadsheet formats, allows seamless integration with existing supplemental materials and other frameworks. Tools for control enhancement, risk identification, and compliance monitoring help organizations proactively address risks and maintain up-to-date security and privacy programs.
With automation and real-time data visualization, these platforms provide greater flexibility and support for information systems and organizations, making it easier to adapt to new revisions and updated supplemental materials from NIST SP 800-53. Ultimately, adopting an integrated platform ensures that security and privacy controls are appropriately managed, risks are identified and mitigated efficiently, and organizations remain compliant with the latest standards and best practices.