I have updated the NIST800-53v4 import by swapping the commas with semicolons, adding missing columns and removing or adding spaces to clean up the contents.
I have made two versions available. One has these simple fixes and the other adds the text “withdrawn” to column E so that this clearly visible in Eramba without using filters to select additional columns.
You can find these two files on my Google Drive account as this URL: Google Drive: Sign-in
I hope this contribution will save someone else several hours of editing and improve this project overall.
Has anyone completed a pivot table or grouping their compliance requirements? Would you be able to share this work?
I have an interest in SOC2-TSP, CCM and NIST. ISO maybe in my future, but I have plenty to work on for the moment.
Eric, I’m a consultant and that is work product for a customer. I’m checking with them to see if they don’t mind sharing. If they don’t mind, I’ll be happy to share.
What I will share straight away is that NIST 800-53 is a behemoth. I was able to squeeze it down to 71 top level controls (Eramba: Security Services). Depending on whether you need to go high, moderate, or low, determines how big the descriptions and audit criteria will be for each. Another way to look at the problem you’re facing is to use NIST 800-171 and the map to 53 they provide. If you take out NCO’s, NFO’s, and FED, you end up with just over 125 controls. This is much more manageable than 800-53, but in my opinion, still too many.
Yet another strategy to deal with this is to survey your specific implementation, and pull out anything document related - policies, procedures, standards, run-books, etc. Some organizations will have documentation as their only support for a control. Deal with the update of documentation as one control and then work on grouping the controls that have technical implementations. That should get the number of controls (Eramba: Security Services) way down. Good luck!
My employer is a federal, state and local government contractor and we live in this space 24/7. More and more frequently we’re seeing state and local governments following the federal risk management program in order to receive their federal grants. I’m also faced with responding to questionnaires from our sales team asking if we are in compliance with anyone of more than a dozen different frameworks. You might call my team the companies shadow security department. I’m managing a specific platform and hope to use Eramba to assist with responding to these RFP’s as well and tracking corporate policy(compliance) requirements and communicating policy changes/requirements up to our policy teams to see if I can have the requirement managed at the corporate level.
