800-53r5 Audit Summary

The National Institute of Standards and Technology (NIST) develops many standards that are available to all industries.  A common set of standards is the NIST 800-53 Revision 5.  This dashboard summarizes all the families outlined in the NIST Special Publication 800-53r5.  The publication consists of a number of families, and each family contains security controls related to the general security topic.  Each security control was designed to help organizations, both private and public, to select the controls best suited to protect mission critical services.  Implementing these controls properly can aid in the defense against a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.

The NIST families and controls are not a checklist-type compliance standard like HIPAA, PCI, or CSF; rather, they are a catalog of controls that are used in achieving compliance with the aforementioned standards.  Using this dashboard can assist the organization in understanding how they currently meet various standards. Each family has a component which provides a summary of all checks that are supported using audit files.  Each component provides details on severity levels and counts for each control. 

This dashboard covers all the NIST families currently supported by Tenable audit files, which provide the results of an audit check as one of multiple severity levels.  The audit results are displayed as a pass, fail or other. The informational severity level is considered a pass.  The pass is achieved when the configuration setting matches the expected result of the audit check.  The match can be a defined value or a range of values. When an audit check fails, the severity is set to high, indicating that the collected result and the expected result do not match.  Results other than a pass or fail (Errors/Warnings) may not mean a failure.  Each item should be reviewed and verified to ensure the expected result is correct.  If the expected result is not correct, then the audit file should be modified and the scan should be run again.  

The components in this dashboard use audit files (released after 1 July 2013), which incorporate the reference tag that maps many audit checks to a respective standard.  In the case of this dashboard, the audit files must contain '800-53' in the Reference Information of the applicable audit check.

Tenable provides several solutions for organizations to better understand vulnerability management. Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable.io discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture. The requirements for this dashboard are: Tenable Vulnerability Management (formerly Tenable.io)

Widgets:

• Framework Result Summary - This widget summarizes all the families outlined in the NIST Special Publication 800-53r5.
• Control Summary - This widget provides compliance results for each control family within the compliance standard.
• Audit Check Type Summary - This widget provides compliance results for hosts within the compliance standard.
• Access Control - This widget provides organizations with information which specifically measures against the compliance standards related to the Access Control (AC) family of 800-53.
• Assessment, Authorization, and Monitoring
• Audit and Accountability - This widget provides organizations with information which specifically measures against the Audit and Accountability (AU) family of 800-53.
• Awareness and Training - This widget provides organizations with information which specifically measures against the Awareness and Training (AT) family of 800-53.
• Configuration Management - This widget provides organizations with information which specifically measures against the compliance standards related to the Configuration Management (CM) family of 800-53.
• Contingency Planning - This widget provides organizations with information which specifically measures against the compliance standards related to the Contingency Planning (CP) family of 800-53. 
• Identification and Authentication - This widget provides organizations with information which specifically measures against the compliance standards related to the Identification and Authentication (IA) family of 800-53. 
• Incident Response - This widget provides organizations with information which specifically measures against the compliance standards related to the Incident Response (IR) family of 800-53.
• Maintenance - This widget provides organizations with information which specifically measures against the compliance standards related to the Maintenance (MA) family of 800-53.
• Media Protection - This widget provides organizations with information which specifically measures against the compliance standards related to the Media Protection (MP) family of 800-53.
• Planning - This widget provides organizations with information which specifically measures against the compliance standards related to the Planning (PL) family of 800-53.
• Program Management - This widget provides organizations with information which specifically measures against the compliance standards related to the Program Management (PM) family of 800-53.
• Risk Assessment - This widget provides organizations with information which specifically measures against the compliance standards related to the Risk Assessment (RA) family of 800-53.
• System and Communications Protection - This widget provides organizations with information which specifically measures against the compliance standards related to the System and Communications Protection (SC) family of 800-53.
• System and Information Integrity - This widget provides organizations with information which specifically measures against the compliance standards related to the System and Information Integrity (SI) family of 800-53.
• System and Services Acquisition - This widget provides organizations with information which specifically measures against the compliance standards related to the System and Services Acquisition (SA) family of 800-53.