NIST is the abbreviated name of the National Institute of Standards and Technology. It’s one of many federal agencies under the U.S. Department of Commerce, and is one of the oldest physical science laboratories in the United States. The agency develops technology and security policies that help drive innovation in science and technology-related industries; and better prepares those industries to meet the requirements of the Federal Information Security Management Act (FISMA).
NIST regulations are a critical consideration when planning security controls to safeguard controlled unclassified information (CUI), especially for organizations planning to bid for U.S. defense contracts. The agency has created thousands of security frameworks, which can lead to significant confusion when you’re creating a new cybersecurity program for your organization.
NIST compliance means something different with each NIST framework. Here are three of the most commonly used frameworks for cybersecurity, to help you on your path to NIST compliance:
Used by 29% of organizations, the NIST Cybersecurity Framework (CSF) is a voluntary framework primarily intended for use at the organizational level, including critical infrastructure, to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.
Compliance with NIST CSF can ease the way to compliance with other security frameworks including the Payment Card Industry Data Security Standard (PCI DSS) and IT general controls for Sarbanes-Oxley Act (SOX). NIST CSF compliance, therefore, can mean saving time and expense down the road.
Many organizations choose to use NIST CSF, an information security framework, to assure themselves as well as their customers that their systems, network, and data are as safe as can be from a cybersecurity intrusion.
Implementing the security controls needed to comply with NIST 800-53 brings entities and their technology products or services in line with the Federal Information Security Modernization Act (FISMA) and with the Federal Information Processing Standard Publication 200 (FIPS 200).
The NIST 800-53 security rules cover 18 areas, including access control, incident response, business continuity and disaster recovery for example. Companies that adopt NIST CSF at the organization-wide level may choose 800-53 to implement more robust controls over their products or services.
Compliance for NIST 800-53 is voluntary for organizations that are not federal agencies and are not affiliated with the federal government, as it can also be used as a framework for conducting risk assessments.
Organizations doing business with the U.S. Department of Defense (DoD) must comply with another set of NIST requirements: NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Non-Federal Information Systems.
NIST SP 800-171 is for non-federal information systems and organizations that are DoD contractors and process, store, or transmit Controlled Unclassified Information (CUI). Organizations that do not meet the minimum security standards established by the Defense Federal Acquisition Regulation Supplement (DFARS) will lose their contracts. In addition, failure to fully comply could be a barrier to entry to the RFP process for new contracts.
NIST provides critical, common language and foundational security standards that, when implemented, can take your cybersecurity program to the next level. Once you’ve determined which NIST frameworks are most appropriate for your organization, you’ll be ready to begin your journey to NIST compliance. You can learn more about next steps in our recent webinar: 5 Keys to Successful NIST Audits.