August 30, 2022
Think Outside the Box for a Better NIST 800-53 Assessment

There’s a recognized truth across the cybersecurity industry: you can’t protect what you don’t know. Added to that is the fact that you can’t know what you don’t know.

Industry best practices and cybersecurity frameworks reconcile these two for productive outcomes and a stronger cybersecurity posture.

The value of NIST 800-53

The National Institute of Standards and Technology [NIST] SP 800-53 offers industry-recognized controls for organizational information system security and privacy leveled by low, moderate and high impact tiers.

Control families range from access control to identity and authentication, and from incident response to supply chain risk management.

Federal agencies and contractors have mandated compliance with NIST 800-53. For others, aligning with and implementing these controls establishes a baseline for secure organizational infrastructure.

Why assess NIST 800-53 compliance?

Cybersecurity complexity makes it difficult to see your entire landscape of threats, vulnerabilities, policies and processes. Every organization has weak spots. Any organization that doesn’t know what those are is at risk.

A third-party assessment of NIST 800-53 compliance is generally spurred by one of these three conditions:

  1. It’s a requirement for cyber insurance coverage, industry-specific certification, or is required by a third party before doing business together.
  2. New security leadership needs a clear view of the current security state to prioritize projects.
  3. The organization is using the framework as a roadmap for security posture and compliance improvements and wants to ensure its efforts and progress are on track.

An annual or semi-annual look into your organization’s security and privacy controls is ideal for maintaining visibility and awareness of insufficient protection.

Get the full story of your NIST 800-53 assessment

To make the most of a NIST 800-53 assessment, find a consultant who eliminates the gray space from an overly condensed evaluation. A robust assessment looks beyond a list of yes/no questions and checkboxes to include:

  • Review of policies and processes to ensure they are organizationally structured
  • Encompasses multiple business units across the organization, such as HR and accounting
  • Pays attention to user access and protections
  • Deep dives into controls to identify and understand the mapping
  • Hands-on evaluation and reporting for clearer understanding among all stakeholders

The whole story of an environment’s current security posture is best told by exploring the caveats behind the questions on a checklist. An assessment designed and evaluated by humans allows tailoring for each client. It also helps capture the nuances that provide context and value to the entire business.

Comprehensive reporting enables an organization to quickly identify its top security priorities, ensure business partners of its risk stance, and validate the review of its security controls.

A deep-dive NIST 800-53 assessment experience

Converge Cybersecurity and CBI, A Converge Company are obsessed with cybersecurity and making the world a safer place for everyone.

We have extended knowledge and experience with the NIST Cybersecurity Framework and an understanding of security control best practices. Our assessment team also draws on our in-house expertise in all core cybersecurity pillars to ensure some of the most comprehensive reporting in the industry.

About the Authors
Leon Malkowych
Leon Malkowych
Leon Malkowych brings more than 15 years of network and security expertise to his role as director of our Architecture, Implementation and Management Services. He oversees the strategy, development and delivery of services designed to help organizations align cybersecurity capabilities with desired business outcomes and strengthen defenses across people, process and technology. He has extensive experience leading teams of highly experienced engineers, and helping clients build and mature their cybersecurity posture.
Jeffry Natzke
Sr. Engineer
Jeff Natzke has more than 15 years of experience in information technology. He has worked for large enterprises and technology startups, providing IT and technology support to both internal and external clients. His past roles include sr. systems engineer, sales engineer, consulting engineer and sr. telecommunications engineer. In his current role, Jeff provides staff augmentation and security assessment support.
Zachary Smith
In his role as a manager for our Architecture and Implementation practice, Zachary Smith focuses on endpoint security and risk and vulnerability management. He has over five years of experience helping clients implement, assess and manage their cybersecurity solutions and environments.
I Need To...