NIST 800-53 Security Controls

Posted on 2011-05-04
Last Modified: 2013-12-06
Hello Experts,

I am in the planning stages to build a "target" environment that meets FISMA compliance regulations.  I have plotted and designed the target equipment costing and the Gap Analysis/Risk assessment; however I was curious as to what controls I should consider looking at.

My environment will be private (no public facing access), with 2 IIS boxes, 1 SQL box, 1 AD box, 1 Barracuda backup box, and a XenServer to host 30 XenDesktop machines.

I have been looking into LogRhythm for SIEM, TrendMicro for Endpoints, Tripwire for Integrity, SAINT for Vulnerability Scanning, and ScriptLogic for AD controls/reporting.

Obviously there is no "magic bullet" that will cover ALL of the controls.  My goal is to cover as many security controls that I can with as few vendors as possible.  

Are there any other recommendations or other controls that I should be looking at?
Question by:LR_Brian
    LVL 6

    Accepted Solution

    For FISMA compliance, 800-53a is a great place to start.  The SRTM controls are pulled directly from NIST documentation.
    You may also want to look at FIPS 140-2 for encryption requirements.

    May I also recommend looking at Nessus for vulnerability scanning, they have FISMA templates that you can use.  The ProfessionalFeed is very affordable.  Also, we use LogRhythm and we are very satisfied with it....  it has great reporting options and many templates to choose from regarding compliance.  

    The SANS Consensus Audit Guidelines (CAG) would also be a good resource for you to browse.

    If you happen to host any Window OS Desktops in the future, you will want to look at FDCC documentation as well.
    LVL 1

    Author Comment

    Thanks for the recommendations.

    I will accept you above response as solution.

    Do you also use FIM with LogRhythm?  I'm curious to how well they do with it.
    LVL 6

    Expert Comment

    Yes, we do on our web servers.   It does a pretty good job, sometimes it will report modifications, but we think that is because the AV touches the files....  something we need to take up with support.  It doesn't happen all the time.  One thing I do like about the product is if you have a certain application logs that LogRhythm doesn't have a format for, you can submit that to support and they will try to get it out in the next release.  They actually did that for Hyper-V faster than I thought they would.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now