NIST 800-53r5: Introduction to Security and Privacy Controls
Course Content
In this course, we will learn how 800-53 fits into the Risk Management Framework (RMF) since the knowledge is fundamental to understanding the importance of the security controls. After studying the steps in RMF, students will discover the history of the 800-53 document based on the revisions to the original.
Understanding the history is essential since cybersecurity professionals may work at an organization that has not adopted the latest revision. After gaining the foundational knowledge of 800-53, students will delve into the components and structure of the security controls. The structure includes the control families and the reason NIST organized the controls to meet FIPS 200 guidance. After learning about the control family organization, we will discuss the differences between system, hybrid, and common controls since this hierarchical implementation of security delineates the boundaries of responsibility within an organization. With an understanding of the families, organization, and types of security controls, students are ready to learn about the internal structure of the 800-53 controls. Finally, we will learn about how cybersecurity professionals will encounter security controls, such as System Security Plans (SSP), Plan of Actions & Milestones (POA&M), risk assessments, or reports from automated security tools.
Prerequisites
Individuals who wish to take this course should have a basic understanding ofthe NIST Risk Management Framework (RMF), how to categorize a system (FIPS 199), have some understanding of basic security principles (NIST 800-12), and understand the components of Confidentiality, Integrity, & Availability. These principles are not hard requirements and will be reviewed during the course. The target audience for the course is anyone in the cybersecurity field who interacts with or needs to understand NIST 800-53 controls.Course Goals
By the end of this course, students should be able to:Instructed by
As a recognized expert in the field of cybersecurity, Dustin has run proactive risk assessments, incident response forensics, and worked in security operation centers (CSOCs) to strengthen the security posture for his client and employers and is a trusted partner in the immediate aftermath of cyber events.
Dustin has submitted written and oral testimony in local, state, and Federal courts. He is a frequent thought leader and speaker on a wide variety of cybersecurity matters.
I have been captivated by technology since I received my first computer at the age of 8. Even at a young age I enjoyed programming since it provided a virtual method of creating building blocks toward a final project; I have been coding ever since. My first job was as a web developer and part-time system administrator. I transitioned to system/network administrator managing Linux systems and connectivity for a local Internet service provider. I continued in several different fields of IT before transitioning to a dedicated cybersecurity role.
My roles in cybersecurity have been as an auditor, security plan writer, controls implementer, architecture, incident responder, and penetration tester. In my current role, I test web application and perform security code review for applications developed in Java, .Net, Python, JavaScript, and a few other languages. I try to get away from IT as much as possible and enjoy the outdoors. My favorite hobbies are mountain biking, hiking, and photography. When I’m lucky, I can combine a couple of hobbies at onetime.
I have always enjoyed teaching and analogizing technology into terms everyone can understand without the complexity of IT.I also enjoy teaching concepts to IT professionals to expand their knowledge and assist in furthering their careers. During my doctoral studies, I attended a pedagogy class, which helped me understand how to formalize methods of teaching and organize the structure of knowledge transfer. I have recently taken on roles as a committee chair and mentor to doctoral students to support them through the process from development to defense of their dissertations. I also love talking about IT and cybersecurity, which makes teaching an enjoying endeavor.
