NIST SP 800-53 R4 & R5 Cybersecurity Program Documentation

NIST SP 800-54 R5 Update

NIST recently released NIST SP 800-53 Rev5, but it did not co-release NIST SP 800-53B which is the document that identifies the assignment of NIST SP 800-53 R5 controls into low, moderate, high and privacy baselines. We are waiting for guidance on when NIST will release NIST SP 800-53B, since that a key component we need to publish updated Written Information Security Program (WISP) policies and standards. We plan to release two (2) NIST SP 800-53 R5 versions of the WISP:

• NIST SP 800-53 R5 Low & Moderate Baseline (LM) WISP - this will contain the low & moderate baselines for both NIST SP 800-53 R5 & FedRAMP
• NIST SP 800-53 R5 Low, Moderate & High Baseline (LMH) WISP - this will contain the low, moderate & high baselines for both NIST SP 800-53 R5 & FedRAMP

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. 

What Is The NIST 800-53 Written Information Security Program (WISP)?

Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The WISP contains NIST 800-53 based cybersecurity policies & standards in an editable Microsoft Word format:

• Each of the NIST 800-53 families has a policy associated with it.
• Under each of the policies are standards that support the NIST 800-53 baselines.
• The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
• The WISP provides the underlying cybersecurity standards that must be in place, as stipulated by statutory, regulatory and contractual requirements.
• Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the WISP does this from a cybersecurity perspective.

What Problem Does The WISP Solve?

• Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The NIST-based WISP is an efficient method to obtain comprehensive NIST 800-53 based security policies and standards for your organization!
• Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The WISP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. The WISP maps to several leading compliance frameworks so you can clearly see what is required!
• Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The WISP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  
• Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The WISP provides this evidence!

How Does the WISP Solve It

• Clear Documentation - The WISP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
• Time Savings - The WISP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
• Alignment With Leading Practices - The NIST-based WISP is written to align your organization with NIST 800-53 rev4!  

NIST SP 800-53 R5 Written Cybersecurity Documentation - Robust Approach To Cybersecurity

For a preview into what the twenty (20) NIST 800-53 R5 Written Information Security Program (WISP) policies create is a comprehensive cybersecurity framework, based on NIST 800-53 R5 and organized by FIPS 199 Management, Operational and Technical categories:

 

The Most Comprehensive NIST 800-53 R5-Based IT Security Documentation

This Is How NIST 800-53 Cybersecurity Documentation Is Meant To Be Structured!

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated cybersecurity staff. All information security policies and standards are backed up by documented best practices.

Which NIST 800-53 Solution Is Right For You? 

Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here. 

When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with NIST SP 800-53. The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST 800-53.

Good (NIST 800-53)	Better (NIST 800-53)	Great (NIST 800-53)	Awesome (NIST 800-53)
WISP - NIST 800-53 Policies & Standards	WISP + CSOP - NIST 800-53 Policies, Standards & Procedures	WISP Bundle 4: WISP-CSOP-VCP-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD-SSP	DSP Bundle 3: DSP-CSOP-VCP-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD

Documentation Done Right - Our Solution Is Designed To Be Scalable, Comprehensive & Efficient

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks. 

Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.