Definition

NIST (National Institute of Standards and Technology)

Alexander S. Gillis

By

Alexander S. Gillis, Technical Writer and Editor

Published: Nov 04, 2022

What is NIST (National Institute of Standards and Technology)?

NIST (National Institute of Standards and Technology) is a nonregulatory government agency located in Gaithersburg, Md. Founded in 1901 and now part of the U.S. Department of Commerce, NIST develops, promotes and maintains metrics and standards for several industries.

Congress established NIST to provide a measurement structure that rivaled capabilities provided by the United Kingdom, Germany and other major countries.

NIST operates several laboratories to promote the advancement and deployment of technological innovations that enhance security. NIST laboratory programs include engineering, IT, nanoscale science, neutron research, material measurement and physical measurement.

NIST also develops and maintains standards used within science, technology and other industries. These standards help federal agencies, contractors and other businesses that work with the government meet the requirements of different frameworks, such as Federal Information Security Management Act (FISMA), which dictates certain cybersecurity standards. Other organizations in the public and private sector also use these standards as part of their cybersecurity programs.

NIST doesn't offer certifications, but rather develops and promotes guidelines for federal agencies to follow. NIST participates in community outreach programs and roundtable discussions and solicits feedback from government, academia and industry, which is used to develop standards and guidelines. NIST standards are constantly being updated.

What is NIST compliance?

NIST compliance is the process of complying with the requirements of one or more NIST standards. NIST guidance and recommendations help federal agencies and the organizations that contract with them ensure they're compliant with different set regulations.

Compliance with NIST looks different depending on the standards and frameworks an organization follows. The standards are also based on the best practices for that specific industry.

For example, NIST Cybersecurity Framework, which was released in 2014, provides a model for reducing risks to critical infrastructure and is designed to help organizations better understand, manage and reduce their cybersecurity risk. Infrastructure includes energy and water utilities, as well as transportation, financial services, communications, public health, food and agriculture, emergency services, manufacturing and several other sectors. Organizations in these areas use the NIST framework

to improve communications with stakeholders within their businesses, as well as across organizations. Organizations are also using the framework to ensure they're matching up with NIST standards, guidelines and best practices.

Another example of a NIST standard is the recent publication of recommendations and a best practices framework that highlight technical security for deploying microservices-based applications with service mesh. Special Publication (SP) 800-204C illustrates how organizations can save time and improve security when deploying application services.

Benefits of NIST compliance

Benefits of compliance with NIST include the following:

creates a range of best practices for different standards;
creates a path to manage and reduce security incidents in an organization via security-based standards;
creates a set standard to follow when an organization needs to comply with regulations such as Health Insurance Portability and Accountability Act (HIPAA) or FISMA; and
enables organizations of all sizes that follow NIST to work on government contracts -- the same applies for individual subcontractors that follow NIST.

NIST standards and frameworks

Examples of NIST standards include the NIST 800 Series as follows:

NIST SP 800-53. This standard pertains to how data is managed and kept safe on federal information systems. This also applies to contractors or third parties that also have access to federal data. It includes security controls such as access control, incident response and configuration management.
NIST SP 800-37. This is the Risk Management Framework for information systems. The standard's goal is to prepare organizations for risk management activities, while outlining the needed structure and processes for managing security, privacy and risks.
NIST SP 800-53/FI. This creates security standards for federal agencies to manage programs that protect data and implement FISMA.
NIST SP 800-30. This standard provides guidance for conducting risk assessments. It applies to federal information systems and other organizations and reviews the differences among risks, threats and vulnerabilities. The standard also examines the chances of risks, threats and vulnerabilities occurring and the effects they may have.
NIST SP 800-171. This standard provides guidance for protecting controlled unclassified information in nonfederal systems or organizations. This includes physical security practices, such as allowing only authorized individuals access to physical systems or operating environments.

How to become NIST-compliant

NIST lists its standards on its official website. The standards and resources made available are based on international best practices, are technology-neutral and can be implemented by organizations of all sizes and federal institutions.

Because of the different possible standards, each implementation of a NIST standard is different. However, some general steps toward compliance with NIST security standards are the following:

categorizing data to protect;
having a baseline and document controls to protect data;
conducting risk assessments;
determining risk levels based on security control assessments; and
continually monitoring security controls.

The NIST Cybersecurity Framework — NIST Cybersecurity Framework includes five core concepts around the lifecycle of cybersecurity risk.

As a further example, to follow NIST Cybersecurity Framework, organizations should adhere to the following five fundamental areas for security control:

Identify. This determines how cybersecurity risk is managed, along with what systems, data, resources and capabilities are needed.
Protect. This provides safeguards to contain data security incidents so an organization can continue delivering critical services when needed.
Detect. This determines the protocols in place that identify security events.
Respond. This outlines the actions to take during a cybersecurity incident.
Recover. This step identifies what to do after a cybersecurity attack to maintain business continuity and begin disaster recovery.

Learn more about NIST and other IT security frameworks, such as ISO and COBIT, and their standards.

Continue Reading About NIST (National Institute of Standards and Technology)

NIST drafts service mesh guidance for DevSecOps

Incorporate NIST security and virtualization recommendations

NIST CSF provides guidelines for risk-based cybersecurity

Key elements of a modern cybersecurity framework

Building an incident response framework for your enterprise

Dig Deeper on Software design and development

Search Cloud Computing

The cloud's role in PQC migration
Even though Q-Day might be several years away, enterprises should develop a strategic plan to prepare for the future. Experts ...
Prioritize security from the edge to the cloud
Businesses can find security vulnerabilities when they push their workloads to the edge. Discover the pitfalls of cloud edge ...
6 edge monitoring best practices in the cloud
When it comes to application monitoring, edge workloads are outliers -- literally and metaphorically. Learn what sets them apart ...

Search App Architecture

8 best practices for creating architecture decision records
An ADR is only as good as the record quality. Follow these best practices to establish a dependable ADR creation and maintenance ...
Refactor vs. rewrite: Deciding how to fix problem software
At some point, all developers must decide whether to refactor code or rewrite it. Base this choice on factors such as ...
Understanding API proxy vs. API gateway capabilities
API proxies and gateways help APIs talk to applications, but it can be tricky to understand vendor language around different ...

Search ITOperations

HPE Discover highlights AI factories, OpsRamp and Morpheus
AI factories, Morpheus and OpsRamp promise to become central parts of HPE's hybrid cloud strategy.
ITSM meets AI: Capabilities, challenges and what's next
AI promises to transform ITSM through automation and intelligence, but success depends on matching the right AI type to specific ...
Mitigating AI's unique risks with AI monitoring
Coralogix CEO highlights the difference between AI and software monitoring, as illustrated by his company's acquisition and ...

TheServerSide.com

The case against vibe coding
Is vibe coding a bad idea for enterprises? AI can produce results faster than manual coding, but its benefits eventually unravel ...
An introduction to LLM tokenization
Users interact with LLMs through natural language prompts, but under the hood these AI models are based on LLM tokenization. ...
Agile vs. Scrum: What's the difference?
Don't fret about the differences between Agile and Scrum? It's actually their similarities that make them interesting.

Search AWS

Compare Datadog vs. New Relic for IT monitoring in 2024
Compare Datadog vs. New Relic capabilities including alerts, log management, incident management and more. Learn which tool is ...
AWS Control Tower aims to simplify multi-account management
Many organizations struggle to manage their vast collection of AWS accounts, but Control Tower can help. The service automates ...
Break down the Amazon EKS pricing model
There are several important variables within the Amazon EKS pricing model. Dig into the numbers to ensure you deploy the service ...

Close