Understand which cybersecurity framework applies to your organization
Katrina Dalao
Content Marketing Specialist, CIPM, CIPP/E
August 8, 2023
The National Institute of Standards and Technology (NIST) has the tall order of advancing cybersecurity and information technology standards in the U.S. To help deliver its recommendations and guidance, NIST publishes an expansive list of technical reports, industry handbooks, practice guides, and special publications.
The NIST Special Publication (SP) 800 series in particular focuses on computer security. Established in December 1990, it was intended to meet the security and privacy needs of the US federal government’s information and information systems. Since then, the SP 800 has also been adopted by non-federal organizations for enhancements to their own cybersecurity posture.
In this article, we cover two prominent publications in the series: NIST 800-53 vs. NIST 800-171. Learn the differences between each framework and how to identify the one that best aligns with your compliance needs.
NIST 800-53 (or NIST Special Publication 800-53) is a publication that establishes cybersecurity compliance standards for US information systems and organizations. It provides a comprehensive and flexible security and privacy control catalog that is not only adaptable to different organizations, but also future-proof against evolving threats and regulations.
The NIST 800-53 was designed to be used with any existing risk management processes, helping organizations achieve adequate security for their information systems and protect the privacy of individuals.
All federal information systems and organizations must comply with NIST SP 800-53. Organizations that don’t conduct business with the federal government aren’t required to comply, but it’s often recommended as a way to strengthen overall security posture and assist in meeting requirements of other regulations, including HIPAA and GDPR.
The security controls included in NIST 800-53 are building blocks for a robust security posture, allowing organizations to select and implement the controls that best suit their system.
NIST 800-53 controls are organized into 20 families based on their function. Examples of control families include Audit and Accountability (AU), Contingency Planning (CP), Physical and Environmental Protection (PE), and System and Services Acquisition (SA).
There are three approaches to implementing NIST 800-53 controls:
Even non-federal organizations can benefit from the guidance offered by NIST 800-53. As a widely recognized cybersecurity framework, compliance can enhance an organization's reputation and prove its commitment to data protection and security.
NIST 800-53 provides a structured approach for a range of cybersecurity areas, while also allowing for flexibility in the way controls are used in different environments.
The framework is also closely tied with two other security guidelines: the Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA).
FedRAMP is a standardized security and risk assessment approach for cloud computing and service providers of the federal government and is largely based on NIST 800-53.
FISMA, on the other hand, is a federal law that defines the information security requirements for federal agencies. It mandates agencies to follow NIST guidelines, including NIST 800-53.
With an extensive number of controls, NIST 800-53 can be challenging for smaller organizations or those just starting their cybersecurity journey. Compliance requires significant time and effort to navigate, which can be difficult for teams with limited resources.
NIST 800-53 provides a solid foundation for cybersecurity, but it isn’t a standalone framework.
It lacks industry-specific guidance and organizations in highly regulated industries or sectors may need to supplement with additional standards relevant to their domain.
NIST 800-171 (or NIST Special Publication 800-171) was established as a cybersecurity baseline for all non-federal contractors or organizations that store, process, or transmit Controlled Unclassified Information (CUI).
Based on NIST 800-53, this framework is tailored to the specific requirements of protecting CUI, which is defined as “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls.”
Examples of CUI are personally identifiable information (PII), proprietary business information, or intellectual data. Although CUI is not classified, breaches of this type of data can still lead to serious consequences.
Any organization that works with the U.S. government, is engaged in a federal contract, or handles CUI in any way must comply with NIST 800-171.
This includes, for example, contractors working with the Department of Defense (DoD), General Services Administration (GSA), or National Aeronautics and Space Administration (NASA). Contractors that fail to comply with NIST 800-171 are not considered secure enough to handle sensitive government information and risk losing their contract.
The security controls in NIST 800-171 help organizations identify and mitigate any risks associated with CUI. As such, they only apply to the components that process, store, or transmit CUI or that provide protection for such components.
NIST 800-171 controls are organized into 14 families, with each family focused on a specific aspect of protecting CUI. Examples of control families include Access Control (AC), Configuration Management (CM), Media Protection (MP), and Risk Assessment (RA).
A system security plan (SSP) explains how non-federal organizations meet — or plan to meet — the security requirements in NIST 800-171. In general, SSPs describe the following elements:
SSPs are typically accompanied by a plan of action that communicates the organization’s implementation and continuous monitoring activities. These two documents are submitted to the federal agency or contracting office to demonstrate the organization's compliance with NIST 800-171.
In most cases, federal agencies consider the SSP and plan of action as critical to deciding whether to process, store, or transmit CUI with the non-federal organization.
In addition to the ability to engage in federal contracts, NIST 800-171 offers a number of benefits for organizations that manage sensitive data.
The framework provides guidance that not only protects CUI, but also other sensitive data assets that are created, processed, transmitted, or stored by an organization.
NIST 800-171 additionally identifies any gaps and weaknesses in cybersecurity programs, helping teams with any remediation of existing security issues. By implementing industry-recognized best practices, organizations can mature and scale their risk management practices and demonstrate compliance to their partners and customers.
The main challenge of NIST 800-171 is that all requirements need to be met in order to achieve compliance. Even if there is a clear process and controls are only required for CUI, implementation and maintenance can be a complex undertaking.
NIST 800-171 compliance is proven through self-assessment, and organizations need to allocate enough resources to gather evidence and conduct regular security assessments.
While NIST 800-171 focuses on protecting CUI, it doesn’t cover other aspects of cybersecurity. Additional frameworks and controls are still needed to address a broader range of security risks.
NIST 800-53 and NIST 800-171 are two frameworks that provide security standards for organizations that work with government data. They share a common risk-based approach and security control families.
NIST controls are designed to address various aspects of cybersecurity, including access control, incident response, risk assessment, and system monitoring.
More important than the similarities are the differences between NIST 800-53 vs. NIST 800-171. The frameworks are intended for entirely different target audience, types of data, and compliance needs.
When it comes to cybersecurity, NIST 800-171 and NIST 800-53 are both recognized frameworks intended for organizations that deal with sensitive information on behalf of the federal government.
The question of which risk management framework is right for your organization is simple: Are you a federal organization or are you a contractor or subcontractor of a federal organization?
If you’re a federal organization, you’ll need to meet NIST 800-53 requirements. If you’re a non-federal contractor or subcontractor and deal with CUI, you’ll need to comply with NIST 800-171 instead.
Webinar
Join our webinar for insights on transforming InfoSec program management. Navigate the complexities of modern security with a flexible, scalable, and cost-effective approach.
Webinar
In this webinar, we examine the ISO/IEC 27001 and how it compares to other cybersecurity frameworks and regulations such as the SOC 2 and the EU Cybersecurity Act.
eBook
Learn the new PCI DSS v4.0 requirements and prepare your organization for compliance in six steps.
Infographic
Learn the key considerations of the PCI DSS v4.0 security standard and plan your next steps towards compliance with this free infographic.
Data Sheet
Take a look at how OneTrust Compliance Automation can help streamline your preparation for audits, drive accountability, and track results.
Checklist
Get a head start on your ethics program and create a policy on development and administration of policies with our customizable template.
Infographic
Determine the SOC 2 certification costs for your business and learn how to save time and money at each step.