NIST SP 800-53 Rev 5 - AWS Audit Manager

NIST SP 800-53 Rev 5

AWS Audit Manager provides a prebuilt framework that supports the NIST 800-53 Rev 5: Security and Privacy Controls for Information Systems and Organizations.


What is NIST SP 800-53?

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the oldest physical science laboratories in the United States. The U.S. Congress established the agency to improve what was at the time a second-rate measurement infrastructure. The infrastructure was a major challenge to U.S. industrial competitiveness, having lagged behind other economic powers such as the U.K. and Germany.

The NIST SP 800-53 security controls are generally applicable to U.S. federal information systems. These are typically systems that must go through a formal assessment and authorization process. This process ensures sufficient protection of confidentiality, integrity, and availability of information and information systems. This is based on the security category and impact level of the system (low, moderate, or high) as well as a risk determination. Security controls are selected from the NIST SP 800-53 security control catalog, and the system is assessed against those security control requirements.

The NIST SP 800-53 framework represents the security controls and the associated assessment procedures that are defined in NIST SP 800-53 Revision 5 Recommended Security Controls for Federal Information Systems and Organizations. For any discrepancies that are noted in the content between this NIST SP 800-53 framework and the latest published NIST Special Publication SP 800-53 Revision 5, refer to the official published documents that are available at the NIST Computer Security Resource Center.

Using this framework

You can use the NIST SP 800-53 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to NIST requirements. You can also customize this framework and its controls to support internal audits with specific requirements.

Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the NIST SP 800-53 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.

The framework details are as follows:

Framework name in AWS Audit Manager Number of automated controls Number of manual controls Number of control sets
NIST 800-53 Rev 5: Security and Privacy Controls for Information Systems and Organizations 308 699 20

To ensure that this framework collects the intended evidence from AWS Security Hub, make sure that you enabled all standards in Security Hub.

To ensure that this framework collects the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review the AWS Config rules that are used as data source mappings in this standard framework, download the file.

The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with the NIST standard. Moreover, they can't guarantee that you'll pass a NIST audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

Next steps

For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see Reviewing a framework in AWS Audit Manager.

For instructions on how to create an assessment using this framework, see Creating an assessment in AWS Audit Manager.

For instructions on how to customize this framework to support your specific requirements, see Making an editable copy of an existing framework in AWS Audit Manager.

Additional resources