Using NIST 800-53 to drive risk appetite

NIST 800-53 is an extensive standard that comprehensively covers security controls across several security domains. It is one of the few standards that has continued to be the basis for control dialogue pre and post cloud era. The post discusses the less obvious and hidden advantage of NIST 800-53 to help organizations drive data driven risk appetite.

NIST 800-53 unique advantage

NIST 800-53 organizes the controls in 20 different and comprehensive control families (at the time of writing, link below). The control families go into elaborate control detail that cover individual controls on what, how and why along with control assessment procedure. The specificity and depth of control dialogue is of tremendous help to any organization that is looking for control guidance and assessment. It is one of the many reasons why NIST 800-53 is a great reference for security controls. It is not surprising to see why other industry standards continue to cross reference NIST 800-53 standard.

The other significant and less recognized benefit of using NIST 800-53 is its application to establish a risk appetite. As you iterate through NIST 800-53 control families and controls, you start to uncover coverage gaps and if the measured control posture aligns with the expected posture. The current posture may look different from the one prescribed by the NIST standard, allowing you to determine if you want to dial up or dial down the relevant security control.

As you go through the NIST 800-53 control assessment exercise, it establishes a gap in the current v/s desired security control posture. The gap analysis is what helps to drive a meaningful conversation on risk appetite as a whole, which is structurally organized and driven by a measured posture.

First things first

The NIST 800-53 control families organize controls aligned to key logically grouped domains. The categorization makes it easy to focus on controls for a given domain by dividing the control space into manageable chunks given the comprehensive coverage. Further, the categorization broadly works to align control families to different teams in an organization that are responsible for the control implementation (e.g. Risk Assessment family for the security assessment team v/s Identification and Authentication family for the IAM team).

An overlap of controls is expected between teams depending on the organizational structure and roles and responsibilities of the teams involved. However, the important realization is control ownership. A control on paper is an intent but a control does not fulfill its purpose unless implemented, measured and verified (that it actually works as intended) and that is where control ownership is important. Control ownership identifies key stakeholders that are responsible to ensure that the controls function effectively through measured and verifiable data. Absence of control verification can result in an assumed control posture which does not exist in reality and therefore, give a false sense of security.

Determining control effectiveness (to drive risk appetite)

The control assessment will result in 2 predictable answers for an organization, i.e. whether a control exists or not. However, when it does, the answer may be less binary, making the assessment for an existing control tricky to evaluate, which I like to think as a measure of control effectiveness. In other words, when a control exists, to what degree does it actually work to provide the necessary coverage, what are the exceptions and what are the control limitations. The following questions can help to uncover control effectiveness more formally:

1. In what circumstances a control does not exist or apply? e.g. If MFA exists as a control, it is not applied universally but in select circumstances – let’s say Prod environment only but not QA.

2. What happens when a control fails and how it is determined? Continuing with the same example, if MFA does not work, what alerts are generated.

3. What are the exceptions to the control? e.g. ssh keys as workarounds for alternate access.

4. What is the process to leverage exceptions? e.g. ssh keys can be used without limitations or require the use of an established break-glass process.

The response to these queries informs control effectiveness and gaps, if any. Some of the “gaps” can be classified as intentional for circumstances when a control applies or not. Continuing with the MFA example, using MFA for production access only and not for QA may be a reasonable choice for certain organizations and for others, it may not be sufficient.

As for #2, #3 and #4, gaps may indicate a problem. To expand with the MFA example, when MFA fails with no alerts and ssh keys are an alternate to MFA without a break-glass process, use of ssh keys may be more prevalent and happening in parallel with MFA or worse, MFA may not be in use at all despite being enabled. In other words, MFA as a control exists however it is not effective.

Driving risk appetite

The assessment provides control gaps on 2 accounts, where the control exists/does not exist and when it does exist, what is the control effectiveness. To put it simply, the gap analysis gives an organization an immediate view of control posture across a comprehensive set of security controls. This measure of observed risk from control gap analysis can inform or drive the risk appetite. In other words, risk appetite, which often is a subjective exercise can be data driven with the use of NIST 800-53 controls. Risk as it pertains to security continues to be a tricky and challenging dialogue when it comes to measurement. And therefore, a data driven approach adds a much needed maturity dimension to the risk dialogue through the lens of a well established, time tested and recognized NIST standard.

The additional benefit is the realization of the gaps in the risk appetite itself through a measure of desired risk v/s observed risk from the control gap analysis. Once a data driven risk appetite is established, it is easy to follow its benefits, such as making control investments that are transparent, traceable, measurable and optimal.

Key takeaways

The NIST 800-53 controls provide a unique opportunity for organization to leverage a comprehensive and structured set of controls to drive risk appetite. Risk appetite is an important security construct that allows organizations to make risk informed choices while leveraging security controls as counter balance. However, risk appetite at times may suffer from subjective or assumed view of controls. The use of NIST800-53 controls can inform control posture and therefore risk appetite, making it a data driven dialogue. The key to a meaningful data dialogue lies in evaluating controls that are absent but with an emphasis on control effectiveness, which is necessary to ensure controls present are actually functioning as intended. Not to forget, mature risk appetite requires a continuous periodic control assessment.

Ref:

1. NIST 800-53: https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home

NO AI TRAINING: Without in any way limiting the author’s exclusive rights under copyright, any use of this publication to “train” generative artificial intelligence (AI) technologies is expressly prohibited without author's explicit consent. The author reserves all rights to license uses of this work for generative AI training and development of machine learning language models.

Author: Anurag Jain