by Josef Weiss
February 16, 2024
The National Institute of Standards and Technology (NIST) develops many standards that are available to all industries. A common set of standards is the NIST 800-53 Revision 4. This report summarizes all the families outlined in the NIST Special Publication 800-53r4. The publication consists of a number of families, and each family contains security controls related to the general security topic. Each security control was designed to help organizations, both private and public, to select the controls best suited to protect mission critical services. Implementing these controls properly can aid in the defense against a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.
The NIST families and controls are not a checklist-type compliance standard like HIPAA, PCI, or CSF; rather, they are a catalog of controls that are used in achieving compliance with the aforementioned standards. Using this report can assist the organizations in understanding how they currently meet various standards. Each family has a component which provides a summary of all checks that are supported using audit files. Each component provides details on severity levels and counts for each control.
This report covers all the NIST families currently supported by Tenable audit files, which provide the results of an audit check as one of multiple severity levels. The audit results are displayed as a pass, fail or other. The informational severity level is considered a pass. The pass is achieved when the configuration setting matches the expected result of the audit check. The match can be a defined value or a range of values. When an audit check fails, the severity is set to high, indicating that the collected result and the expected result do not match. Results other than a pass or fail (Errors/Warnings) may not mean a failure. Each item should be reviewed and verified to ensure the expected result is correct. If the expected result is not correct, then the audit file should be modified and the scan should be run again.
The elements in this report use audit files (released after 1 July 2013), which incorporate the reference tag that maps many audit checks to a respective standard. In the case of this report, the audit files must contain '800-53' in the Reference Information of the applicable audit check.
Tenable provides several solutions for organizations to better understand vulnerability management. Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable.io discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture. The requirements for this report are: Tenable Vulnerability Management (formerly Tenable.io)
Chapters:
- Executive Summary - This chapter contains three elements which provide a high level overview summarizing results outlined in the NIST Special Publication 800-53r4.
- Framework Result Summary - This chapter summarizes all the families outlined in the NIST Special Publication 800-53r4.
- Control Summary - This chapter provides compliance results for each control family within the compliance standard.
- Audit Check Type Summary - This chapter provides compliance results for hosts within the compliance standard.
- Access Control - This chapter provides organizations with information which specifically measures against the compliance standards related to the Access Control (AC) family of 800-53.
- Audit and Accountability - This chapter provides organizations with information which specifically measures against the Audit and Accountability (AU) family of 800-53.
- Awareness and Training - This chapter provides organizations with information which specifically measures against the Awareness and Training (AT) family of 800-53.
- Configuration Management - This chapter provides organizations with information which specifically measures against the compliance standards related to the Configuration Management (CM) family of 800-53.
- Contingency Planning - This chapter provides organizations with information which specifically measures against the compliance standards related to the Contingency Planning (CP) family of 800-53.
- Identification and Authentication - This chapter provides organizations with information which specifically measures against the compliance standards related to the Identification and Authentication (IA) family of 800-53.
- Incident Response - This chapter provides organizations with information which specifically measures against the compliance standards related to the Incident Response (IR) family of 800-53.
- Maintenance - This chapter provides organizations with information which specifically measures against the compliance standards related to the Maintenance (MA) family of 800-53.
- Media Protection - This chapter provides organizations with information which specifically measures against the compliance standards related to the Media Protection (MP) family of 800-53.
- Planning - This chapter provides organizations with information which specifically measures against the compliance standards related to the Planning (PL) family of 800-53.
- Program Management - This chapter provides organizations with information which specifically measures against the compliance standards related to the Program Management (PM) family of 800-53.
- Risk Assessment - This chapter provides organizations with information which specifically measures against the compliance standards related to the Risk Assessment (RA) family of 800-53.
- Security Assessment and Authorization - This chapter provides organizations with information which specifically measures against the compliance standards related to the Security Assessment and Authorization (CA) family of 800-53.
- System and Communications Protection - This chapter provides organizations with information which specifically measures against the compliance standards related to the System and Communications Protection (SC) family of 800-53.
- System and Information Integrity - This chapter provides organizations with information which specifically measures against the compliance standards related to the System and Information Integrity (SI) family of 800-53.
- System and Services Acquisition - This chapter provides organizations with information which specifically measures against the compliance standards related to the System and Services Acquisition (SA) family of 800-53.