NIST publications
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories. Its mission is to promote innovation and industrial competitiveness.
Generally speaking, NIST guidance provides the set of standards for
recommended security controls for information systems at federal agencies.
NIST guidelines are often developed to help agencies meet specific
regulatory compliance requirements.
NIST 800 Series
The NIST 800 Series is a set of documents that describe United States federal government computer security policies, procedures, and guidelines. The documents are available free of charge and can be useful to businesses and educational institutions, as well as to government agencies.
NIST 800 Series publications evolved as a result of exhaustive research into workable and cost-effective methods for optimizing the security of information technology (IT) systems and networks in a proactive manner. The publications cover all NIST-recommended procedures and criteria for assessing and documenting threats and vulnerabilities and for implementing security measures to minimize the risk of adverse events. The publications can be useful as guidelines for enforcement of security rules and as legal references in case of litigation involving security issues.
Some publications of NIST 800 series:
-
800-205: Attribute Considerations for Access Control Systems
-
800-203: NIST/ITL Cybersecurity Program Annual Report
-
800-192: Verification and Test Methods for Access Control Policies/Models
-
800-177: Trustworthy Email
-
800-171: Assessing Security Requirements for Controlled Unclassified Information
-
800-146: Cloud Computing Synopsis and Recommendations
-
800-137: Information Security Continuous Monitoring
-
800-133: Recommendation for Cryptographic Key Generation
-
800-121: Guide to Bluetooth Security
-
800-115: Technical Guide to Information Security Testing and Assessment
-
800-113: Guide to SSL VPNs
-
800-98: Guidelines for Securing Radio Frequency Identification (RFID) Systems
-
800-95: Guide to Secure Web Services
-
800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops
-
800-53: Security Controls
-
800-50: Building an Information Technology Security Awareness and Training Program
-
800-46: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
-
800-37: Risk Management Framework
When is the NIST framework required?
If you do business with a US federal government agency or with a third party that does business with a US federal government agency, those parties may require that your organization complies with a specific NIST publication (ex.: 800-171).
All NIST publications are free and are easily accessible, and you could realize what the gap between your IT practices and the NIST framework is.
How my organization can demonstrate that she complies with a NIST publication?
The easiest way is, if your organization is SOC 2 compliance, you can adjust your SOC 2 report to comply with the required NIST publication. Otherwise, if your organization complies with ISO 27001, you can try to send your certificate to the parties.
Yucca IT Consulting can help you
We can assist you throughout your preparation process to respect NIST publications, from the gap analysis to the independent SOC 2 report (With NIST included). With the help of your in-house pilot, a realistic timetable will be documented and accepted by your management.