NIST 800-53 and how Threat Modeling can help

We know it's not easy to make any regulation or standard sound jazzy. So bear with us while we share the essentials. 

What companies is the NIST special publication aimed at?

Cloud Service Providers (CSPs) with existing authorizations, those who are mid-process, and those looking to achieve a FedRAMP authorization for the first time will all be required to align with Rev.5 baselines.

As well as organizations needing to map to FISMA (The Federal Information Security Management Act) compliance requirements. Non-compliance can lead to penalties and other negative impacts such as reduced funding or reputational damage.

Why do organizations need to conform to NIST 800-53 Rev.5?

As of May 30, 2023, FedRAMP officially approved and adopted the new Rev. 5 baselines – aligning with the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) Rev. 5 baselines that went into effect in September of 2021.

The Federal Information Security Management Act (FISMA) also stipulates that the NIST 800 series is to be followed. It does not require an agency to implement every single control but to implement the controls relevant to their organization and systems.

What exactly is NIST SP 800-53? We’ve summarized it for you.

NIST 800-53, governs security controls for federal information systems. It mandates risk assessment, security planning, and continuous monitoring. CSPs must conduct risk assessments and implement controls based on identified risks. This framework underscores the relevance of threat modeling in federal information security. Revision 5 also details the need for threat modeling and vulnerability analysis:

‘Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service..’

Threat modeling to conform and secure. NIST says so.

The practice of threat modeling is recommended within the NIST SP 800-53 Rev. 5. It is discussed in several following areas of the publication, including a specific chapter (SA-11) exclusively for threat modeling and vulnerability analysis.

Within the IriusRisk Threat Modeling Tool, there are Security Libraries built in for FedRAMP and NIST 800 series, including 800-53 Rev 5. This means users of IriusRisk, can align their architecture to what is required from the Rev 5 publication.

Love details?

Here are the chapters within NIST 800–53 that specifically states threat modeling a required an activity. These have been summarized below, or you can read the full details here.

Security and Privacy Engineering Principles

Implement SA-8: Security & Privacy Engineering Principles.

Apply organization-defined principles in system development. Include threat modeling for risk mitigation.

Threat Modeling and Vulnerability Analyses 

Implement SA-11 Developer Testing and Evaluation.

Mandate developer-conducted threat modeling and vulnerability analysis throughout system, component, or service development. Consider impact, environment, threats, and risk levels. Utilize defined tools, methods, and rigor levels. Validate with organization-defined acceptance criteria. This ensures effective operation and mitigation of vulnerabilities arising from design changes.

Reuse of Threat and Vulnerability Information

Implement SA-15 Development Process, Standards and Tools.

Mandate utilizing threat modeling and vulnerability analysis from similar systems in current development. Leverage vulnerability insights for informed design and implementation, drawing from similar systems or components. Utilize data sources like NIST National Vulnerability Database.

Powered by Partners

We are the experts in automated threat modeling, and we know which regulations our clients must conform to. We also have a partnership with stackArmor, the experts in all-things-FedRAMP. stackArmor allows us to offer even further guidance and support, for organizations. Plus, our training and consultancy partner, Toreon, offers valuable guidance on becoming compliant with NIST 800-53. So whatever you need for your Rev 5. journey, we have a stellar team to make this possible.

So, what next?

Take a look at our Security Content Library for all of the included risk patterns which are mapped to these standards, directives and compliance needs.