Kezia Farnham

Senior Manager

A step-by-step audit and assessment checklist for NIST 800-53A

The NIST 800-53 Security and Control Framework was created to standardize cybersecurity within organizations dealing with critical infrastructure. Since then, organizations across all sectors have adopted the framework as a route toward more robust and structured cybersecurity.

Cybersecurity is an area where good governance and compliance are non-negotiable. Any framework is therefore welcome — and auditing your practices against NIST 800-53A can assure you that your cyber vigilance is as watertight as possible. Having a NIST 800-53a audit and assessment checklist can help optimize this audit and maximize the results.

What is NIST 800-53a?

The National Institute of Standards and Technology (NIST) publishes the NIST 800-53 Security and Control Framework and the updated NIST 800-53A, as well as revisions like NIST 800-53 Rev 5.

What is the difference between NIST 800-53 and 800-53A?

NIST 800-53A is an extension of NIST 800-53. It has been updated to provide additional guidance on assessing the controls required by NIST 800-53.

Latest NIST 800-53A revisions

NIST regularly updates its guidance to reflect changing risks or practices, as in its May 2022 update to its cybersecurity guidance for supply chains. You may see references to NIST 800-53A Rev 3, NIST 800-53A Rev 4 and NIST 800-53A Rev 5.

Revisions are made to the guidelines in order to “improve the quality of the publication;” these updates can include corrections, clarifications or other minor changes. For instance, NIST 800-53 Rev 5 expands the guidance’s scope by adding 66 new base controls, 202 new control enhancements and 131 new parameters to existing controls.

What does NIST 800-53A do?

NIST 800-53A provides a set of procedures that are used to assess security and privacy controls, to support organizational risk management processes. The procedures can be tailored to any organization’s needs, making them flexible and easily customized to fit your organization's requirements.

The NIST 800-53A framework helps organizations move from reactive cybersecurity to a proactive approach that prevents potential cyber threats. This proactive stance is central to today’s pre-emptive modern audit approach.

NIST SP 800-53 Rev 5: What's new?

In September 2020, the NIST released Revision 5 of the NIST SP 800-53 framework. Revision 5 replaces Revision 4. While the versions do have some elements in common, there are very distinct and important differences that cybersecurity teams need to understand to ensure that they’re not missing critical best practices.

The major differences between NIST SP 800-53 Rev 4 and NIST SP 800-53 Rev 5 are:

Emphasized Control Outcomes: The controls structure in Revision 4 focused on common roles in security processes. But not every organization that must follow NIST frameworks have those roles. Revision 5 focuses instead on the outcome of the controls, specifically whether they are compliant with relevant laws, rules and regulations.

More Control Families: Revision 4 included 18 control families that honed in on privacy, bad actors, cloud data and more. Revision 5 expands on this focus across a total of 20 control families. This totals 66 new individual controls and over 100 changes to existing controls. The 20 NIST SP 800-53 Rev 5 control families are:

1. Access Control (AC)
2. Awareness and Training (AT)
3. Audit and Accountability (AU)
4. Assessment, Authorization, and Monitoring (CA)
5. Configuration Management (CM)
6. Contingency Planning (CP)
7. Identification and Authentication (IA)
8. Incident Response (IR)
9. Maintenance (MA)
10. Media Protection (MP)
11. Physical and Environmental Protection (PE)
12. Planning (PL)
13. Program Management (PM)
14. Personnel Security (PS)
15. Personally Identifiable Information Processing and Transparency (PT)
16. Risk Assessment (RA)
17. System and Services Acquisition (SA)
18. System and Communications Protection (SC)
19. System and Information Integrity (SI)
20. Supply Chain Risk Management (SR)

Enhanced Privacy Standards: Personally Identifiable Information Processing and Transparency is one of Rev 5’s new control families, and it points to the NIST’s renewed focus on privacy. Revision 5 focuses heavily on privacy, both in how organizations implement controls and in how they structure their systems. This also keeps the NIST standards up-to-date with other privacy laws, like GDPR.

Three Control Baselines: NIST SP 800-53 Rev 5 also included 800-53B, which establishes new control baselines to help organizations protect their data and systems. All controls are then assigned to one of the three baselines so that organizations know how to prioritize controls based on their possible impacts. The new baselines are:

• Low Impact: If they are breached or otherwise compromised, controls in this baseline will have a limited effect on the organization.
• Moderate Impact: If controls in this baseline become compromised, it can have a serious effect on the organization and its operations.
• High Impact: Organizations should expect catastrophic effects if high-impact controls are compromised.

Focus on Third Parties: Revision 5 takes supply chain risk management seriously, and it directly addresses this in one of its new control families. The new control family guides organizations to secure their entire value chain, including how to assess and manage risk associated with third-party vendors.

Prioritizes Teamwork: In most organizations, cybersecurity is a cross-departmental effort. Revision 5 recognizes this by including guidance around collaboration. This includes guidance about assigning specific roles and responsibilities to specific team members and providing training around policies and procedures.

Carrying Out a NIST Assessment and Audit

You may hear the term “NIST assessment.” This tends to refer to a two-step process: you would conduct an audit and follow this up with a risk assessment on the audit’s outcome.

A “NIST audit” determines whether your organization’s standards and controls are sufficient to meet the NIST requirements.

When cybersecurity threats come thick and fast and regulatory compliance is more important than ever, auditing your controls and processes as part of a structured approach to governance makes perfect sense.

As with any process or audit, a checklist can be invaluable in focusing your efforts and ensuring you have covered all bases. What should be included in your NIST 800-53a audit and assessment checklist?

The Definitive NIST 800-53a Audit and Assessment Checklist

Our checklist guides you through a NIST 800-53a audit and assessment in 4 steps:

1. Get familiar with your data. NIST 800-53a compliance requires that you put in place controls to minimize the chances of a cyber breach. To do this, you need to understand where data — particularly sensitive data — is held in your organization and how it flows throughout the organization and to/from suppliers and customers. Identifying and categorizing the data you hold is an essential first step.
2. Map permissions and access to your data. Identifying roles and responsibilities is one of the five key steps in an effective compliance program and ensuring you have granted appropriate data access is an essential part of that. Record details of stored data, internally and on any external servers/in the cloud, and who has access to it.
3. Bolster access controls. Access and application controls are crucial in managing who can see and process the data your organization holds. Multi-factor authentication and zero-trust frameworks are just two ways to reinforce controls around data access.
4. Ensure you have the systems and controls to monitor your NIST 800-53A compliance on an ongoing basis. NIST 800-53A compliance isn’t a one-off exercise; you must consistently follow the guidance to comply. Monitoring access and data will identify any unusual activity or out-of-tolerance events.

There is another step: Perhaps not strictly one for a NIST 800-53a audit and assessment checklist, but you should also use the audit process as an opportunity to drive improvements.

In addition to giving you a clear picture of the data in your organization, your audit may spark continuous improvement ideas. For instance, it might lead you to consider whether implementing a zero-trust architecture would strengthen your approach or, in the case of external suppliers, revisit your third-party risk management strategy.

View your audit as a way of not just checking compliance, but identifying ways to refine and tighten up your cybersecurity processes, moving from compliance to proactive risk management.

Modernize your approach to NIST 800-53A auditing and audit overall

Hopefully, our NIST 800-53a audit and assessment checklist will help structure your approach to NIST 800-53A auditing and compliance.

If you’d like to read more about how you can take a modern audit approach to your organization, you can download a copy of our guide to Modernizing Your Internal Audit Infrastructure Checklist for businesses or for public sector. The checklist will help you optimize your audit team’s efficiency and maximize the audit team's impact within your organization.