NIST SP 800-53 R4 & R5 Cybersecurity Program Documentation

2020-cybersecurity-goldilocks-spectrum-comparison-nist-800-53-r5-fedramp-moderate-high-baseline.jpg

NIST SP 800-54 R5 Update

NIST recently released NIST SP 800-53 Rev5. ComplianceForge now has two (2) NIST SP 800-53 R5 versions of the CDPP:

  • NIST SP 800-53 R5 Low & Moderate Baseline (LM) CDPP - this will contain the low & moderate baselines for both NIST SP 800-53 R5 & FedRAMP
  • NIST SP 800-53 R5 Low, Moderate & High Baseline (LMH) CDPP - this will contain the low, moderate & high baselines for both NIST SP 800-53 R5 & FedRAMP

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. 

What Is The NIST 800-53 Cybersecurity & Data Protection Program (CDPP)?

Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The CDPP contains NIST 800-53 based cybersecurity policies & standards in an editable Microsoft Word format:

  • Each of the NIST 800-53 families has a policy associated with it.
  • Under each of the policies are standards that support the NIST 800-53 baselines.
  • The CDPP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
  • The CDPP provides the underlying cybersecurity standards that must be in place, as stipulated by statutory, regulatory and contractual requirements.
  • Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the CDPP does this from a cybersecurity perspective.

software-2018.1-no-software-to-install-v1.jpg

What Problem Does The CDPP Solve?

  • Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The NIST-based CDPP is an efficient method to obtain comprehensive NIST 800-53 based security policies and standards for your organization!
  • Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The CDPP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. The CDPP maps to several leading compliance frameworks so you can clearly see what is required!
  • Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CDPP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The CDPP provides this evidence!

How Does the CDPP Solve It

  • Clear Documentation - The CDPP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
  • Time Savings - The CDPP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
  • Alignment With Leading Practices - The NIST-based CDPP is written to align your organization with NIST 800-53 rev4!  

NIST SP 800-53 R5 Written Cybersecurity Documentation - Robust Approach To Cybersecurity

For a preview into what the twenty (20) NIST 800-53 R5 Cybersecurity & Data Protection Program (CDPP) policies create is a comprehensive cybersecurity framework, based on NIST 800-53 R5 and organized by FIPS 199 Management, Operational and Technical categories:

 2021.1-nist-sp-800-53-r5-control-family-policies.jpg

The Most Comprehensive NIST 800-53 R5-Based IT Security Documentation

2020-nist-sp-800-53-r5-policies-standards.jpg

This Is How NIST 800-53 Cybersecurity Documentation Is Meant To Be Structured!

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated cybersecurity staff. All information security policies and standards are backed up by documented best practices.

graphic-example-information-security-policies-standards-control-objectives-procedures-guidelines.jpg

Which NIST 800-53 Solution Is Right For You? 

Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here

When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with NIST SP 800-53. The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST 800-53.

2020-complianceforge-product-matrix-iso-27002-vs-nist-csf-vs-nist-800-53-vs-nist-800-171-v2.jpg

2021.4-swimlane-cdpp-or-dsp-levels.jpg

Documentation Done Right - Our Solution Is Designed To Be Scalable, Comprehensive & Efficient

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks. 

Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.

2020-hierarchical-cybersecurity-governance-framework.jpg

 

Find Out Exclusive Information On Cybersecurity