NIST800-53 and NIST CSF

NIST 800-53

The original intention of the NIST SP 800-53 series framework is to protect the information security of the US federal government. Although it is not a formal statutory standard, it has become a widely recognized framework by the US and international security community. It guided organizations to establish an information security risk management framework, select and formulate information security control measures.

This assessment is based on the 5th edition of NIST SP 800-53 released in September 2020. A comprehensively assessment was done on Alibaba Cloud's existing security and privacy control measures, enhancement requirements, and implementation. NIST SP 800-53 contains 20 control security domains (Family), a total of 1189 control items, of which 1007 are remain effective (including 298 basic control items and 709 enhanced control items). This assessment is a comprehensive and complete security control assessment of Alibaba Cloud, especially reflecting the control related to cloud services. Based on the characteristics and requirements of cloud services, reflecting Alibaba Cloud existing GRC governance, risk and compliance status. Alibaba Cloud has established security processes, controls, and tools to provide a secure cloud computing platform.

NIST CSF

The purpose of the NIST CSF audit is to perform a Cyber Security Assessment of the current cyber security posture of Alibaba Cloud by understanding the cyber security controls and various implemented security solutions. In addition, NIST CSF provides organizations with guidelines consisting of different functions for a comprehensive cyber security program.

This review is based on the National Institute of Standard and Technology (“NIST”) Cyber Security Framework (“CSF”), and the key focus areas include:
• Design and effectiveness of Alibaba Cloud’s cyber security framework, policies, and standards;
• Cyber security defense capabilities and responsiveness; and
• Gaps between current defense capabilities and targeted or desired results.

The key focus of this review is on Alibaba Cloud’s implementation of its cyber security strategy and relevant security solutions. Based on the characteristics and requirements of cloud services, it reflects Alibaba Cloud’s existing GRC governance, risk, and compliance status, on this basis, assesses the maturity of CSF.


NIST 800-53 Rev. 5
Security and Privacy Controls for Information Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

NIST Cybersecurity Framework
https://www.nist.gov/cyberframework