What is the National Institute of Standards and Technology (NIST)?
The National Institute of Standards and Technology is a non-regulatory government agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry.
As part of this effort, NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST also assists those agencies in protecting their information and information systems through cost-effective programs.
NIST 800 Series Compliance
The 800 series is the set of NIST documents that are relevant to the computer security community. Over 200 NIST Special Publication (SP) 800 series standards exist, outlining best practices for access management, secure coding, use of encryption, and more.
Some of the most commonly used NIST guidelines include:
- NIST SP 800-37: Promotes risk management via continuous monitoring
- NIST SP 800-53: Guidelines for security controls for federal information systems
- NIST SP 800-137: Use of automation for enterprise reporting and monitoring
- NIST SP 800-171: Controls for protection of Confidential Unclassified Information (CUI)
Beyond these standards, organizations can also consult NIST standards for best practices and information on various aspects of cybersecurity.
Who Is NIST Compliance For?
The NIST compliance documents are intended for any and all companies who are working in the federal supply chain, including prime contractors, subcontractors, and subcontractors working for another subcontractor. In this case, NIST compliance is mandatory.
However, many companies outside of the federal supply chain are also looking to comply with the NIST standards as outlined in the NIST Cybersecurity Framework.
The NIST Cybersecurity Framework
The NIST Cybersecurity Framework is designed to improve the cybersecurity of the critical infrastructure sector. This framework provides recommendations to achieve five core cybersecurity functions:
- Identify: Gain the understanding necessary to manage cybersecurity risk and use the NIST framework.
- Protect: Implement controls to prevent or manage the impact of a cybersecurity incident.
- Detect: Put processes and solutions in place to rapidly detect a potential cyberattack.
- Respond: Take the necessary actions to manage a potential cybersecurity incident.
- Recover: Implement plans for resilience and restoring operations after an incident has occurred.
The NIST Cybersecurity Framework provides an overall outline for implementing a cybersecurity program. This, in combination with the 800 series standards, provides both broad and in-depth security guidance.