As more agencies in the public sector and their partners move to the cloud, NIST 800-53 revision 4 (rev. 4) by the National Institute of Standards and Technology is the primary security standard for security controls for federal information systems.
Join DLT, one of the nation’s top providers of IT solutions, Amazon Web Services (AWS), and Evident.io in this webinar, where these experts will exchange perspectives on what NIST 800-53 rev.4 compliance means for government agencies and private organizations alike.
In this blog, David Rubal, Chief Data and Analytics Technologist at DLT, Tim Sandage, senior security partner strategist at Amazon Web Services, and Sebastian Taphanel, federal solutions architect at Evident.io discuss what NIST 800-53 rev.4 compliance is and how to address the challenges this set of regulatory security standards brings.
Q: Who needs to think about NIST 800-53 rev.4 Compliance?
[David Rubal] Any organization that needs to pursue and maintain FedRAMP Authorization / FISMA Certification / DoD SRG / NIST 800-171 (Protection of Controlled Unclassified Information) / ICD 503, etc. In short, anyone working with the Federal Government to include Federally Funded Research Grants, Federal System Integrators, etc.
Q: What’s the perspective from the agency side?
[Tim Sandage] NIST 800-53 rev.4 is the ‘gold standard’ for federal security controls. Prior to AWS, Agencies owned their data centers and all associated hardware/software that ran on it. The tools used to keep an eye on the infrastructure services may not work the same way in the Cloud. Cloud Native solutions are specifically designed to meet the demand, growth, and elasticity required by a Cloud-enabled organization. Agent-based solutions don’t have access to the AWS API which manages the AWS customer infrastructure services for an Agency workload running in AWS. Without accessing the AWS API, there is a lack of visibility and transparency to what is really going on within an AWS customer environment.
Q: How does this apply to private organizations?
[Sebastian Taphanel] Some Private Organizations are contractually mandated to follow NIST 800-53 rev.4. Additionally, depending on the type of Risk Management Framework and overall maturity of their respective Risk Program, some private organizations may choose to follow NIST RMF (SP 800-37) and its associated Controls (SP 800-53 rev.4) as it is both comprehensive and well-documented. It should be noted, some smaller private organizations with limited resources sometimes opt for NIST Controls as a ‘catch all’ approach to managing their overall risk, in lieu of trying to manage several Risk Frameworks simultaneously.
Q: What are the challenges of achieving NIST compliance using NIST 800-53 rev.4 in AWS?
[Sebastian Taphanel] Understanding the scope of AWS services, shared responsibility and the inheritance of controls a customer can leverage from the authorizations granted to AWS: Inheriting AWS Controls does NOT get your system compliant. They help, but they are specific to data center security controls (e.g. Physical, Environmental and Maintenance). The Scope of AWS services which are authorized may also be challenging for some agencies as authorizing officials may only accept in-scope AWS FedRAMP accredited services within a customer authorization. Lastly the AWS shared responsibility model should be reviewed as agencies are responsible for implementing many of the NIST 800-53 rev.4 controls within their customer environment.
HINT: AWS is constantly adding to their list of Certified / Accredited AWS Services, keep your eyes open to updates! See: AWS Services in Scope by Compliance Program
However, the Customer must still do their own due diligence and document how they intend to meet the NIST security controls in a continuous manner. Without a solution that actually captures changes to AWS Resources / Services in a real-time manner, getting to a state of Compliance and more importantly, maintaining it, is a real challenge. Fortunately, Evident.io can help to do both.