A Step-by-Step Audit and Assessment Checklist for NIST 800-53A

Kezia Farnham

The NIST 800-53 Security and Control Framework was created to standardize cybersecurity within organizations dealing with critical infrastructure. Since then, businesses across all sectors have adopted the framework as a route toward more robust and structured cybersecurity.

Cybersecurity is an area where good governance and compliance are non-negotiable. Any framework is therefore welcome — and auditing your practices against NIST 800-53A can assure you that your cyber vigilance is as watertight as possible. Having a NIST 800-53a audit and assessment checklist can help optimize this audit and maximize the results.

 

What Is NIST 800-53a?

The National Institute of Standards and Technology (NIST) publishes the NIST 800-53 Security and Control Framework and the updated NIST 800-53A. 

What Is the difference between NIST 800-53 and 800-53A?

NIST 800-53A is an extension of NIST 800-53. It has been updated to provide additional guidance on assessing the controls required by NIST 800-53.

Latest NIST 800-53A Revisions

NIST regularly updates its guidance to reflect changing risks or practices, as in its May 2022 update to its cybersecurity guidance for supply chains. You may see references to NIST 800-53A Rev 3, NIST 800-53A Rev 4 and NIST 800-53A Rev 5. 

Revisions are made to the guidelines in order to “improve the quality of the publication;” these updates can include corrections, clarifications, or other minor changes. For instance, Rev 5 expands the guidance’s scope by adding 66 new base controls, 202 new control enhancements and 131 new parameters to existing controls.

 

What Does NIST 800-53A Do?

NIST 800-53A provides a set of procedures that used to assess security and privacy controls, to support organizational risk management processes. The procedures can be tailored to any organization’s needs, making them flexible and easily customized to fit your business’s requirements.

The NIST 800-53A framework helps organizations move from reactive cybersecurity to a proactive approach that prevents potential cyber threats. This proactive stance is central to today’s pre-emptive modern audit approach.

 

Carrying Out a NIST Assessment and Audit

You may hear the term “NIST assessment.” This tends to refer to a two-step process: you would conduct an audit and follow this up with a risk assessment on the audit’s outcome.

A “NIST audit” determines whether your organization’s standards and controls are sufficient to meet the NIST requirements. 

When cybersecurity threats come thick and fast and regulatory compliance is more important than ever, auditing your controls and processes as part of a structured approach to governance makes perfect sense.

As with any process or audit, a checklist can be invaluable in focusing your efforts and ensuring you have covered all bases. What should be included in your NIST 800-53a audit and assessment checklist?

 

The Definitive NIST 800-53a Audit and Assessment Checklist

Our checklist guides you through a NIST 800-53a audit and assessment in 4 steps:

  • Get familiar with your data. NIST 800-53a compliance requires that you put in place controls to minimize the chances of a cyber breach. To do this, you need to understand where data — particularly sensitive data — is held in your organization and how it flows throughout the business and to/from suppliers and customers. Identifying and categorizing the data you hold is an essential first step.
  • Map permissions and access to your data. Identifying roles and responsibilities is one of the five key steps in an effective compliance program and ensuring you have granted appropriate data access is an essential part of that. Record details of stored data, internally and on any external servers/in the cloud, and who has access to it. 
  • Bolster access controls. Access and application controls are crucial in managing who can see and process the data your organization holds. Multi-factor authentication and zero-trust frameworks are just two ways to reinforce controls around data access.
  • Ensure you have the systems and controls to monitor your NIST 800-53A compliance on an ongoing basis. NIST 800-53A compliance isn’t a one-off exercise; you must consistently follow the guidance to comply. Monitoring access and data will identify any unusual activity or out-of-tolerance events.

There is another step: perhaps not strictly one for a NIST 800-53a audit and assessment checklist, but you should also use the audit process as an opportunity to drive improvements. 

As well as giving you a clear picture of the data in your business, your audit may spark continuous improvement ideas. For instance, it might lead you to consider whether implementing a zero-trust architecture would strengthen your approach or, in the case of external suppliers, revisit your third-party risk management strategy. 

View your audit as a way of not just checking compliance but of identifying ways to refine and tighten up your cybersecurity processes, moving from compliance to proactive risk management.

 

Modernize Your Approach to NIST 800-53A Auditing and Audit Overall

Hopefully, our NIST 800-53a audit and assessment checklist will help structure your approach to NIST 800-53A auditing and compliance. If you’d like to read more about how you can take a modern audit approach to your business, you can download a copy of our Modernizing Your Internal Audit Infrastructure Checklist. The checklist will help you optimize your audit team’s efficiency and maximize the audit team's impact within your organization.

Stay a Step Ahead of Risk, Audit & Compliance
Get the latest insights, stay informed on the latest trends and remain a trusted advisor to your board.
Background image
Related Insights
Kezia Farnham Diligent
Content Strategy Manager
Kezia Farnham

Kezia Farnham is the Content Strategy Manager at Diligent. She's a University of the Arts London graduate who has enjoyed over seven years working across journalism, public relations and digital marketing, with a special focus on SEO and CRO in the B2B SaaS sector.

Kezia is passionate about helping governance professionals find the right information at the right time.