NIST SP 800–53 Rev.5 SECURITY CONTROLS in PLAIN LANGUAGE

In the list below you’ll read original plain language high-level descriptions of the 20 control families alphabetically by their two-character ID (identification code). For each, the ID is linked to the full list of controls for that family.

Next to the ID is the full name of the control family, then a plain language description of the control to give you a quick, easy to understand idea of the kind of security influence that control family has on information and/or information systems.

I’ve taken on this project because, as you can see from the LinkedIn post below, I was struggling to find plain-language explanations of security controls. When you’re new to GRC and RMF, the official descriptions can feel like trying to read a foreign language. It takes several attempts to truly grasp what each control requires, and if you’re new to the federal government, it’s even worse! You practically need subtitles, a translator, and a Duolingo course!!!!!

Knowing I wasn’t alone in this struggle, and having gained a deeper understanding of these controls since my initial post, I decided to create a plain-language version myself. My goal is to tackle one control family per month, so stay tuned for more jargon-free explanations!

1. AC: Access Control: Only authorized people and processes can access and move around the system, but even then — they can’t trash the place!
2. AT: Awareness & Training: Empower your team with knowledge & skill, not just rules. Make security awareness an engaging experience, demonstrating how their choices directly impact the company’s digital security. Ongoing training ensures everyone stays sharp and security-conscious.
3. AU: Audit & Accountability: Maintain a detailed digital diary of every action within your systems — who logged in, what they changed, and every click. It’s like a security camera for your digital realm, ensuring transparency and holding everyone accountable.
4. CA: Assessment, Authorization, & Monitoring: Think of this as your IT checkup. Regularly assess your security measures to ensure they’re in top shape. Spot a problem? Create a treatment plan. New systems need a thorough vetting before joining the network, and ongoing monitoring keeps them “healthy”.
5. CM: Configuration Management: Be the master of your cyber space. Control how updates and changes are made, and set the gold standards for software use. Manage your systems’ evolution to maintain order and performance.
6. CP: Contingency Planning: Be prepared, not petrified! Have a solid plan in place for when things go wrong, ensuring business continuity and a swift return to normalcy. It’s like having an insurance policy for your digital assets. Ensure operations continue during disruptions and quickly bounce back once you’ve recovered.
7. IA: Identification & Authorization: It’s a two-step verification dance: First, determine who or what is at the door trying to access your system (identification). Then, check their credentials and confirm their right to enter (authorization). Think of it as a digital bouncer checking IDs and guest lists at the club door.
8. IR: Incident Response: Prepare for hiccups or major meltdowns. Have a detailed action plan that outlines detection, analysis, containment, and recovery. Document everything and communicate clearly with all stakeholders.
9. MA: Maintenance: Regular maintenance is like a spa day for your systems. Keep them running smoothly with tune-ups and fixes, but only let authorized personnel handle the tools.
10. MP: Media Protection: Guard your information like a treasure. Control access to both digital and physical records and ensure that when it’s time to let go, you do so securely, leaving no trace behind.
11. PE: Physical & Environmental Protection: Secure your physical assets as fiercely as your digital ones. Limit access to authorized people, safeguard facilities, and be sure critical utilities like power and climate control are protected from disruptions and threats.
12. PL: Planning: Draw the blueprint of your security strategy. Clearly outline protective measures and let users know what you expect so you can maintain a strong security posture.
13. PM: Program Management: Stay on top of the administrative side of security. Ensure compliance with laws, policies, and regulations at the organizational level.
14. PS: Personnel Security: Trust, but verify. Ensure your team, including external contractors, is trustworthy and reliable. Protect sensitive information throughout their tenure, and enforce consequences for security breaches.
15. PT: PII Processing & Transparency: Handle personal information with the utmost care. Be transparent about how you collect and use it, obtaining consent from individuals and respecting their privacy.
16. RA: Risk: Risk Assessment: Risk is uncertainty that matters. Think of this as a crystal ball for your IT systems. Regularly assess how the use of your IT systems could put your organization’s mission, reputation, assets, information, and employees at risk.
17. SA: System and Services Acquisition: Make wise choices when acquiring new systems and services. Ensure you have the right resources for security throughout their lifecycle, and only purchase from reputable vendors that meet your security standards.
18. SC: System & Communications Protection: Keep a watchful eye on all data traffic flowing in and out of your systems, like a border guard. Use strong architectural and engineering practices to secure communications within and outside your network.
19. SI: System & Information Integrity: Stay vigilant. Quickly detect, report, and fix vulnerabilities. Deploy strong defenses against malware and stay informed about security threats to keep your systems healthy and secure.
20. SR: Supply Chain Risk Management: Ensure the trustworthiness of your supply chain. Implement stringent security measures for all third-party products and services, minimizing risk and ensuring the integrity of your operations.

CONCLUSION

FYI, it’s important to understand what a security control really is. Security controls are not merely tools that harden systems and lock things down. They are much more than that. Think of security controls as change agents. They empower their owners by allowing them to manage and control their information and the systems that handle this information.

Consider this: malicious attackers aren’t primarily interested in the raw information within your system. What they are really after are your controls. Without access to these controls, they can’t manipulate, harness, or exploit the information or the systems that process it. It’s the controls that enable them to do what they do, making your controls the real target!

Alt text: A robber reaching for the controls rather than the money

For instance, consider the security controls around an online banking system. These controls don’t just lock down your financial data; they manage who can view, transfer, or manipulate your funds. If a malicious attacker gains control over these, such as the ability to authorize transactions or alter account settings, they have the power to redirect funds or access sensitive financial information. It’s not just about accessing the data — it’s about controlling it.

I’ll dive deeper into this topic in a future article, so stay tuned for more insights on how security controls are the actual “target”, often in ways you might not expect.