What is NIST (National Institute of Standards and Technology)?
NIST (National Institute of Standards and Technology) is a nonregulatory government agency located in Gaithersburg, Md. Founded in 1901 and now part of the U.S. Department of Commerce, NIST develops, promotes and maintains metrics and standards for several industries.
Congress established NIST to provide a measurement structure that rivaled capabilities provided by the United Kingdom, Germany and other major countries.
NIST operates several laboratories to promote the advancement and deployment of technological innovations that enhance security. NIST laboratory programs include engineering, IT, nanoscale science, neutron research, material measurement and physical measurement.
NIST also develops and maintains standards used within science, technology and other industries. These standards help federal agencies, contractors and other businesses that work with the government meet the requirements of different frameworks, such as Federal Information Security Management Act (FISMA), which dictates certain cybersecurity standards. Other organizations in the public and private sector also use these standards as part of their cybersecurity programs.
NIST doesn't offer certifications, but rather develops and promotes guidelines for federal agencies to follow. NIST participates in community outreach programs and roundtable discussions and solicits feedback from government, academia and industry, which is used to develop standards and guidelines. NIST standards are constantly being updated.
What is NIST compliance?
NIST compliance is the process of complying with the requirements of one or more NIST standards. NIST guidance and recommendations help federal agencies and the organizations that contract with them ensure they're compliant with different set regulations.
Compliance with NIST looks different depending on the standards and frameworks an organization follows. The standards are also based on the best practices for that specific industry.
For example, NIST Cybersecurity Framework, which was released in 2014, provides a model for reducing risks to critical infrastructure and is designed to help organizations better understand, manage and reduce their cybersecurity risk. Infrastructure includes energy and water utilities, as well as transportation, financial services, communications, public health, food and agriculture, emergency services, manufacturing and several other sectors. Organizations in these areas use the NIST framework
to improve communications with stakeholders within their businesses, as well as across organizations. Organizations are also using the framework to ensure they're matching up with NIST standards, guidelines and best practices.
Another example of a NIST standard is the recent publication of recommendations and a best practices framework that highlight technical security for deploying microservices-based applications with service mesh. Special Publication (SP) 800-204C illustrates how organizations can save time and improve security when deploying application services.
Benefits of NIST compliance
Benefits of compliance with NIST include the following:
- creates a range of best practices for different standards;
- creates a path to manage and reduce security incidents in an organization via security-based standards;
- creates a set standard to follow when an organization needs to comply with regulations such as Health Insurance Portability and Accountability Act (HIPAA) or FISMA; and
- enables organizations of all sizes that follow NIST to work on government contracts -- the same applies for individual subcontractors that follow NIST.
NIST standards and frameworks
Examples of NIST standards include the NIST 800 series as follows:
- NIST SP 800-53. This standard pertains to how data is managed and kept safe on federal information systems. This also applies to contractors or third parties that also have access to federal data. It includes security controls such as access control, incident response and configuration management.
- NIST SP 800-37. This is the Risk Management Framework for information systems. The standard's goal is to prepare organizations for risk management activities, while outlining the needed structure and processes for managing security, privacy and risks.
- NIST SP 800-53/FI. This creates security standards for federal agencies to manage programs that protect data and implement FISMA.
- NIST SP 800-30. This standard provides guidance for conducting risk assessments. It applies to federal information systems and other organizations and reviews the differences among risks, threats and vulnerabilities. The standard also examines the chances of risks, threats and vulnerabilities occurring and the effects they may have.
- NIST SP 800-171. This standard provides guidance for protecting controlled unclassified information in nonfederal systems or organizations. This includes physical security practices, such as allowing only authorized individuals access to physical systems or operating environments.
How to become NIST-compliant
NIST lists its standards on its official website. The standards and resources made available are based on international best practices, are technology-neutral and can be implemented by organizations of all sizes and federal institutions.
Because of the different possible standards, each implementation of a NIST standard is different. However, some general steps toward compliance with NIST security standards are the following:
- categorizing data to protect;
- having a baseline and document controls to protect data;
- conducting risk assessments;
- determining risk levels based on security control assessments; and
- continually monitoring security controls.
As a further example, to follow NIST Cybersecurity Framework, organizations should adhere to the following five fundamental areas for security control:
- Identify. This determines how cybersecurity risk is managed, along with what systems, data, resources and capabilities are needed.
- Protect. This provides safeguards to contain data security incidents so an organization can continue delivering critical services when needed.
- Detect. This determines the protocols in place that identify security events.
- Respond. This outlines the actions to take during a cybersecurity incident.
- Recover. This step identifies what to do after a cybersecurity attack to maintain business continuity and begin disaster recovery.
Learn more about NIST and other IT security frameworks, such as ISO and COBIT, and their standards.