Your NIST 800-53 policies define what is required. But when an assessor asks how each control is actually performed, who owns it, and how often, can you show it? Procedures are the evidence of implementation that audits depend on, and they are usually the gap. The NIST 800-53 R5 Low & Moderate Cybersecurity Standardized Operating Procedures (CSOP) gives you a running start: editable, step-by-step procedures mapped 1-to-1 to the NIST 800-53 Moderate CDPP standards, using the NIST NICE Workforce Framework for roles and responsibilities. The templates get you roughly 80 to 90 percent of the way there, then your subject-matter experts fill in the details only they know.

The US National Institute of Standards and Technology (NIST) is on the fifth revision (rev5) of Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. From rev4 to rev5, NIST dropped the "US Government" focus for NIST SP 800-53 and now has it generalized enough for private industry to use. There are still "NISTisms" for wording that are entirely US Government-focused, but it is a significant improvement for private industry adoption. NIST 800-53 "best practices" are the de facto standard for private businesses that do business with the US federal government.

One thing to keep in mind is that NIST 800-53 is a super-set of ISO 27002 - that means you will find all the components of ISO 27002 covered by NIST 800-53. However, ISO 27002 does not cover all of the areas of NIST 800-53.

The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Risk Management Framework (RMF) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems.  That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors. We have a section that describes NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) if you are interested in that subject.

NIST 800-53 includes what both ISO 27002 and NIST CSF addresses, as well as a whole host of other requirements. NIST 800-53 is the basis for the controls found in NIST 800-171 / CMMC. NIST 800-53 is commonly found in the financial, medical and government contracting industries. One great thing about NIST 800-53, and it applies almost universally to all NIST 800-series publications. As with other NIST publications, it is freely available, at no cost to the public - http://csrc.nist.gov/publications/PubsSPs.html.

We leverage the Operationalizing Cybersecurity Planning Model in creating a practical view towards implementing cybersecurity requirements. Organizations are often not at a loss for a set of policies, but executing those requirements often fall short due to several reasons. Standardized Operating Procedures (SOPs) are where the rubber meets the road for Individual Contributors (ICs), since these key players need to know (1) how they fit into day-to-day operations, (2) what their priorities are and (3) what is expected from them in their duties. When looking at it from an auditability perspective, the evidence of due diligence and due care should match what the organization's cybersecurity business plan is attempting to achieve.

The central focus of any procedures should be a Capability Maturity Model (CMM) target that provides quantifiable expectations for People, Processes and Technologies (PPT), since this helps prevent a “moving target” by establishing an attainable expectation for “what right looks like” in terms of PPT. Generally, cybersecurity business plans take a phased, multi-year approach to meet these CMM-based cybersecurity objectives. Those objectives, in conjunction with the business plan, demonstrate evidence of due diligence on behalf of the CISO and his/her leadership team. The objectives prioritize the organization’s service catalog through influencing procedures at the IC-level for how PPT are implemented at the tactical level. SOPs not only direct the workflow of staff personnel, but the output from those procedures provides evidence of due care.

Procedures operationalize policies and standards. This is a key concept to being both secure and compliant. Organizations are often not at a loss for a set of policies, but executing those requirements falls short without documented procedures. Standardized Operating Procedures are where the rubber meets the road for individual contributors who need to know how they fit into day-to-day operations, what their priorities are, and what is expected from them.

One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:

• Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
• Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
• Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).

One of the most important concepts in procedure documentation is ownership. Policies, standards, and controls are designed to be centrally managed at the corporate level (GRC team, CISO). Procedures, by their very nature, are de-centralized; control implementation at the team level is defined to explain how the control is addressed (network team, desktop support, HR, procurement). Procedures are living documents that require frequent updates based on changes to technologies and staffing, and they are often documented in team-share repositories such as wikis, SharePoint pages, and workflow management tools.

Your customization will be to help "fill in the blanks" with specific process owners, process operators, where additional documentation can be found, applicable service obligations (e.g., SLAs), and what technology/tools your team has available. We've done the heavy lifting and you just need to fill in the blanks.  

To help illustrate the importance of well-written procedures, here is an illustration to show the difference between poorly-written procedures and well-written ones.

Not Enough

How To Make A Peanut Butter And Jelly Sandwich

• Put peanut butter on bread.
• Put jelly on bread.
• Eat.

Whoops!

VS

Just Right

How To Make A Peanut Butter And Jelly Sandwich

• Place two (2) slices of bread on a plate.
• Open the jar of peanut butter and use a butter knife to spread approximately two (2) tablespoons of peanut butter on one (1) slice of bread.
• Open the jar of jelly and use a butter knife to spread approximately two (2) tablespoons of jelly on the other slice of bread.
• Put the bread slices together with the peanut butter and jelly sides facing each other.
• Take one (1) bite-sized portion, then chew and swallow.
• Repeat Step 5 until the sandwich is gone.

Yum!

One very special aspect of the CDPP and SCRP versions of the CSOP is that it leverages the NIST NICE Cybersecurity Workforce Framework. NIST released the NICE framework in 2017 with purpose of streamlining cybersecurity roles and responsibilities. We adopted this in the CSOP framework since work roles have a direct impact procedures. By assigning work roles, the CSOP helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks.

The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!

The CSOP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.

At the heart of it, the CSOP provides an organization with clear cybersecurity procedures that can scale to meet the needs and complexity of any team. The procedures are mapped to leading frameworks, so it is straightforward to have procedures that directly link to requirements from NIST 800-171, ISO 27002, NIST 800-53 and many other common cybersecurity and privacy-related statutory, regulatory and contractual frameworks!

The value of the CSOP comes from having well-constructed procedure statements that can help you become audit ready in a fraction of the time and cost to do it yourself or hire a consultant to come on-site and write it for you. The entire concept of this cybersecurity procedures template is focused on two things: