Complete Guide to the NIST Cybersecurity Framework

NIST originally developed its cybersecurity framework, commonly abbreviated as NIST CSF, to strengthen the security of the United States’ critical infrastructure. The goal was to establish a common set of standards, objectives, and language to increase information security and better remedy the fallout after a cyberattack. A common language leads to better decision-making and helps shape a similar methodology across industries, something that’s very important for eradicating cyberattacks like phishing schemes and ransomware.

NIST CSF was first released in 2014, with an updated Version 1.1 released in 2018. (NIST did release a draft Version 2.0 for public comment in August 2023, but a final Version 2.0 isn’t expected until early 2024.)

Since its release, NIST CSF has proven so versatile that today the agency encourages every organization, regardless of size or industry, to adopt it on a voluntary basis. The CSF is comprised of framework core components, implementation tiers, and profiles. 

The core components are capabilities that your cybersecurity program should be able to achieve. There are five of them:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Each of these components is then further divided into categories and subcategories for mitigating cybersecurity risk. Those categories and sub-categories include descriptions of leading information security practices, incident response plans, and methods to obtain successful ransomware recovery.

‘Special Publications’ take a deeper dive into specific areas

In addition to the CSF, NIST has produced more than 200 special publications covering many specific aspects of cybersecurity risk management: identity access control, managing protective technology, responding to a cybersecurity event or incident, artificial intelligence, and much more.

Among the most widely used NIST publications is NIST 800-53, a set of controls intended to help organizations meet the requirements of the Federal Information Security Modernization Act (FISMA), which is mandatory for federal agencies and organizations that are part of their supply chain such as defense contractors.

Top Security Control Families in NIST SP 800-53

NIST 800-53 publication defines more than 1,000 controls, which are grouped into 20 control families, listed as below.

NIST 800-53 Control Families
AC – Access Control	PS – Personnel Security
AU – Audit and Accountability	PE – Physical and Environmental Protection
AT – Awareness and Training	PL – Planning
CA – Security Assessment and Authorization	PT – PII Processing and Transparency
CM – Configuration Management	PM – Program Management
CP – Contingency Planning	RA – Risk Assessment
IA – Identification and Authentication	SC – System and Communications Protection
IR – Incident Response	SI – System and Information Integrity
MA – Maintenance	SA – System and Services Acquisition
MP – Media Protection	SR – Supply Chain Risk Management

 

Considered among federal agencies as the gold standard for cybersecurity, NIST 800-53 also governs compliance with the Federal Information Processing Standard Publication 200 (FIPS 200), which is mandatory for government-affiliated entities.

NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is specifically geared toward defense contractors bidding on projects with the U.S. Department of Defense (DoD).

The NIST CSF can help any organization that wants to improve its cybersecurity. It was originally developed to protect critical infrastructure sectors, but over the years  the CSF has gained popularity with universities, research organizations, public companies, private companies, and more. To be clear, however, for most organizations the CSF is only a voluntary framework.

NIST defines CSF core as a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. As the CSF itself says:

The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.

The CSF comprises these components:

The Framework Core. This is the primary part of the CSF. It defines the five functions that an effective cybersecurity program should achieve, and the more specific activities necessary to achieve each function. 

• Functions: identify, protect, detect, respond, recover
• Categories
• Subcategories
• Informative references

Implementation tiers. The four implementation tiers are akin to a maturity curve, measuring the degree to which your organization has implemented the NIST controls:

• Tier 1—Partial
• Tier 2—Risk-informed
• Tier 3—Repeatable
• Tier 4—Adaptive

Framework profiles. Profiles represent your organization’s unique alignment of its security requirements and objectives, risk appetite, and resources, all measured against the desired outcomes cited in the framework core

The framework core at the heart of the CSF consists of five cybersecurity functions. Those five functions then consist of 23 categories in all. The categories, in turn, consist of 108 sub-categories listing the requirements and controls necessary to satisfy each category, well as “informative references” that provide a list of additional frameworks and other resources to consult for more information.

Keep in mind that the NIST CSF is not intended as a one-size-fits-all framework. Each organization may decide which functions, categories, and subcategories it will comply with.

The functions, with their categories and subcategories, are as follows.

1. Identify:

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Asset management (ID.AM):

• Your enterprise has identified the data, personnel, devices, systems, and facilities essential to its critical business services.
• Your enterprise has prioritized those assets according to their importance and the organization’s risk strategy.
• Your enterprise manages its assets according to their priority. This means that your organization has achieved these goals:
  • Taken inventory of all physical devices and systems.
  • Taken inventory of all software platforms and applications.
  • Mapped its communication and data flows.
  • Cataloged its external information systems.
  • Prioritized its resources (hardware, devices, data, time, personnel, and software) according to their classification, level of importance (criticality), and business value.
  • Established cybersecurity roles and responsibilities enterprise-wide and for third-party stakeholders (suppliers, customers, partners).

Business environment (ID.BE):

• Your teams understand the organization’s mission, objectives, stakeholders, and activities as prioritized.
• Your teams use this information to inform cybersecurity roles, responsibilities, and risk management decisions. This means that they have:
  • Identified and communicated your organization’s role in the supply chain.
  • Identified and communicated your organization’s place in critical infrastructure and its industry sector.
  • Established and communicated its priorities for the mission, business objectives, and activities.
  • Mapped its dependencies and critical functions for the delivery of critical services.
  • Established resilience requirements to support the delivery of critical services during normal operations, during an attack, under duress, and during recovery.

Governance (ID.GV):

Cybersecurity risk managers and the board know, understand, and use your enterprise security policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements.

• You’ve established and communicated the cybersecurity policy.
• Your organization has coordinated and aligned cybersecurity roles and responsibilities with internal roles and external partners.
• Managers understand and are overseeing compliance with legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations.
• Your governance and risk management processes address cybersecurity risks.

Risk assessment (ID.RA):

Your organization understands the cybersecurity risk to its operations (including mission, functions, image or reputation), assets, and people.

• You’ve identified and documented the vulnerabilities to your assets.
• You’ve arranged to get cyber threat intelligence from information-sharing forums and sources.
• You’ve identified and documented the threat environment, which is the threats your enterprise faces from internal and external sources.
• You’ve identified potential business impacts of risks and threats, as well as the likelihood of their occurring.
• You’ve used threats, vulnerabilities, likelihoods, and impacts to determine overall risk.
• You’ve identified and prioritized risk responses.

Risk management strategy (ID.RM):

Your organization has established its priorities, constraints, risk tolerances, and assumptions and uses them to support operational risk decisions.

• You’ve established and actively managed risk management processes, with stakeholders’ agreement.
• You’ve determined and clearly expressed your organization’s risk tolerance.
• In determining risk tolerance, you’ve considered your enterprise’s role in critical infrastructure and have considered risk analyses of your sector.

Supply chain risk management (ID.SC):

Your enterprise has set priorities, constraints, risk tolerances, and assumptions and has defined processes to identify, assess, and manage supply chain risks.

• You’ve identified, established, and assessed supply chain risk management processes and manage these with stakeholder agreement.
• You’ve identified, prioritized, and assessed the suppliers and third-party partners of your information systems, components, and services using a cyber-supply-chain risk assessment process.
• You use contracts with suppliers and third-party partners to meet the objectives of your cybersecurity program and cyber-supply-chain risk management plan.
• You routinely assess your suppliers and third-party partners using audits, test results, or other evaluations to confirm that they are meeting their contractual obligations.
• You plan and test response and recovery procedures with suppliers and third-party providers.

2. Protect:

Assure that critical infrastructure services remain available. Categories and sub-categories are: 

• Identity management, authentication, and access control (PR.AC):
  Only authorized users, processes, and devices can access physical and logical assets and associated facilities. How you manage this access depends on the risks associated with unauthorized access.
  • Issue, manage, verify, revoke, and audit identities and credentials for authorized devices, users, and processes.
  • Manage and protect physical access to assets.
  • Manage remote access.
  • Manage user accounts’ access permissions and administrative privileges using the principles of least privilege needed to do one’s job and separation of duties.
    Protect network integrity using such means as network segregation and network segmentation, as well as updated antivirus software and secure data backup.
  • Proof and bind identities to credentials and have them asserted in interactions.
  • Authenticate users, devices, and other assets commensurate with the risk of each transaction.

Awareness and training (PR.AT):

Your organization’s personnel and partners receive cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with policies, procedures, and agreements.

• All users are informed and trained.
• Privileged users understand their roles and responsibilities.
• Third-party stakeholders (suppliers, customers, partners, and so forth) understand their roles and responsibilities.
• Senior executives understand their roles and responsibilities.
• Physical and cybersecurity personnel understand their roles and responsibilities.

Data security (PR.DS):

Your organization manages data in concert with its data risk strategy to protect the confidentiality, integrity, and availability of information.

• Your data at rest is protected.
• Your data is protected while in transit.
• You manage your assets as they are being transferred, removed, and disposed of.
• You maintain adequate storage capacity to ensure that your data is always available.
• You protect against data leaks and have established plans for recovery efforts.
• You verify software, firmware, and information integrity.
• Your development and testing environment(s) are separate from the production environment.

Information protection processes and procedures: (PR.IP):

Your enterprise uses security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities, processes, and procedures to manage the protection of information systems and assets.

• You have a baseline configuration of information technology/industrial control systems incorporating security principles (the “concept of least functionality”).
• You have a systems development lifecycle for managing your systems.
• You have processes for configuration change control.
• You conduct, maintain, and test information backups.
• Your physical operating environment for organizational assets meets policies and regulations.
• You destroy data according to your policies.
• You have improved your data protection processes.
• You share the effectiveness of protection technologies.
• You have response and recovery plans, and you manage them.
• You regularly test your response and recovery plans.
• Your human resources practices include cybersecurity measures such as deprovisioning and personnel screening.
• You have a vulnerability management plan.

Maintenance (PR.MA):

According to policies and procedures, your organization maintains and repairs its industrial control and information system components.

• You maintain and repair organizational assets and log those activities with approved and controlled tools.
• Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.

Protective technology (PR.PT):

You manage technical security solutions to assure that systems and assets are secure and resilient, as well as consistent with organizational policies, procedures, and agreements.

• You document and review audit/log records according to policy.
• You protect removable media and restrict its use according to policy.
• You configure systems to provide users with only what they need (“principle of least privilege”).
• Your communications and control networks are protected.
• You use mechanisms such as fail-safe, load balancing, and hot swap for greater resilience.

3. Detect:

Develop and implement activities to identify cybersecurity events. Categories and subcategories are:

Anomalies and events (DE.AE):

The organization knows when anomalous activity occurs on your systems.

• You maintain and manage a baseline of network operations and expected data flows for users and systems.
• The organization analyzes detected events to understand attack targets and methods.
• Systems collect and correlate event data from multiple sources and sensors.
• You know the impacts of cybersecurity events.
• You’ve established incident alert thresholds.

Security continuous monitoring (DE.CM):

The organization continuously monitors its information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures. Monitoring includes these areas:

• The enterprise network.
• The physical environment.
• External service providers’ activity.
• Employee activity.

Monitoring should check for anomalies, including:

• Malicious code.
• Unauthorized mobile code.
• Unauthorized users, connections, devices, and software.
• Vulnerabilities.

Detection process (DE.DP):

The organization maintains and tests its detection processes and procedures to ensure it is aware of anomalous events.

• You’ve defined roles and responsibilities for detection.
• Detection activities comply with requirements.
• The organization has tested its detection processes.
• Event detection information is communicated to those who need to know.
• You continually improve the detection processes.

4. Respond:

Develop and implement responses to detected cybersecurity events.

Response planning (RS.RP):

The enterprise has developed processes and procedures for responding to cybersecurity incidents.

• You follow your response plan during or after an incident.

Communications (RS.CO):

You coordinate response activities with internal and external stakeholders, including law enforcement agencies.

• Employees know their roles and the order of operations when a response is needed.
• Incidents are reported according to your criteria.
• Your teams share information consistent with your response plans.
• You coordinate with stakeholders according to your response plans.
• You volunteer information on security incidents with external stakeholders for broader awareness.

Analysis: (RS.AN):

The organization analyzes its response to cybersecurity incidents to improve and support recovery activities.

• You investigate detection system notifications.
• Your teams understand each incident’s impacts.
• You perform forensic analysis.
• You categorize incidents consistent with your response plans.
• You have processes for receiving, analyzing, and responding to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins or security researchers).

Mitigation (RS.MI):

The organization works to prevent the expansion of events, mitigate events’ effects, and resolve incidents.

• Incidents are contained.
• Incidents are mitigated.
• You mitigate newly identified vulnerabilities or document them as accepted risks.

Improvements (RS.IM):

You work to improve the organization’s responses to security threats, events, and incidents by incorporating lessons learned from current and previous detection/response activities.

• Your response plans incorporate lessons learned.
• You update response strategies as needed.

5. Recover:

Develop and implement the appropriate actions to take upon detecting a cybersecurity event. Categories and sub-categories are:

Recovery planning (RC.RP):

You maintain recovery processes and procedures to restore systems or assets affected by cybersecurity incidents.

• You follow your recovery plan during or after each cybersecurity incident.

Improvements (RC.IM):

You improve recovery planning and processes by incorporating lessons learned into future activities.

• Recovery plans incorporate lessons learned.
• You continually update your recovery strategies.

Communications (RC.CO):

The organization coordinates its restoration activities with internal and external parties, including coordinating centers, internet service providers, owners of attacking systems, victims, other computer security incident response teams, and vendors.

• The organization manages public relations post-incident.
• The enterprise repairs its reputation after an incident.
• You notify internal and external stakeholders as well as executive and management teams about recovery activities.

NIST compliance can mean different things depending on the NIST framework in question.

NIST CSF

NIST CSF is a voluntary framework, so in the strict sense it isn’t required at all. That said, complying with NIST CSF can facilitate compliance with other security frameworks, including the Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act (SOX). NIST CSF compliance, therefore, can save time and expense down the road.

NIST 800-53

Implementing the security controls needed to comply with NIST 800-53 brings an organization into compliance with the Federal Information Security Modernization Act (FISMA) and the Federal Information Processing Standard Publication 200 (FIPS 200). The NIST 800-53 framework covers 20 “control families,” including access control, incident response, business continuity, and disaster recovery (plus many more).

NIST 800-171

NIST 800-171 applies to defense contractors. Specifically, it guides defense contractors on how to secure and protect “controlled, unclassified information,” commonly abbreviated as CUI. Organizations that implement NIST 800-171 come into compliance with the Defense Federal Acquisition Regulation Supplement (DFARS), which is the standard necessary for eligibility to bid on Department of Defense contracts.

Steps to Becoming NIST 800-53 Compliant

Government agencies and their third-party contractors must comply with FISMA, the Federal Information Security Modernization Act (originally known as the Federal Information Security Management Act). Compliance with the NIST 800-53 standard helps them reach that goal. 

Toward that end, NIST has published a list of nine steps to achieve compliance.

1. Categorize data and information you need to protect.
2. Develop a baseline for the minimum number of controls required to protect that information.
3. Conduct risk assessments to refine your baseline controls.
4. Document your baseline controls in a written security plan.
5. Roll out security controls to your information systems.
6. Once the controls are implemented, monitor their performance.
7. Determine your risk based on your assessment of security controls.
8. Authorize your information system for processing.
9. Conduct continuous monitoring of your security controls.

Private-sector organizations that contract with the U.S. Defense Department may be required to comply with FISMA and NIST 800-171, since the latter helps you achieve compliance with DFARS, the federal contracting rule for defense contractors.

One important point here is that NIST 800-53 and NIST 800-171 both require an audit as part of compliance. (NIST CSF is designed only as guidance, and has no audit requirement.) 

Our NIST audit guide walks you through the process step-by-step so you’ll be prepared when the auditor walks through your door. But in general, you’ll need to complete these key steps to assure your organization’s compliance with NIST:

Step 1: Create a NIST Compliance Risk Management Assessment

NIST 800-53 outlines precise controls and provides supplemental guidance for creating a proper risk assessment. NIST 800-171, however, provides only a few sentences describing the risk assessment process. So even if you’re striving to comply with NIST 800-171, you’ll need to refer to NIST 800-53 during the risk assessment phase.

Step 2: Design and implement NIST-compliant access controls

The contracting agency may prescribe controls; your organizational risk assessment should support them. NIST 800-53 and NIST 800-171 guide how to design, implement, and operate needed controls.

Step 3: Monitor your controls

Monitor the controls you implement regularly to identify outlier transactions or deficiencies.

Step 4: Prepare for your third-party audit/assessment

Both NIST 800-53 and 800-171 require audit programs. Governance, risk, and compliance software can help with this step. RiskOptics, for instance, conducts unlimited self-audits with just a few clicks and stores all your audit documentation in one place. Consider it the “single source of truth” repository for easy access at audit time.

Step 5: Create a plan of action and milestones to measure your compliance success

RiskOptics can help with this, and with every aspect of NIST compliance management: assessing your risk and NIST compliance gaps, telling you what controls you need to implement, walking you step-by-step through the process all the way to the finish, and managing and organizing your audit documentation.

Doesn’t that sound much easier than juggling spreadsheets?

Step 6: Submit for your Authorization to Operate (ATO)

An authorization-to-operate (ATO) is necessary before you begin providing IT services or handling confidential data of your government agency customer. To secure the ATO, you’ll need to complete a NIST audit. Our NIST audit guide leads you step-by-step through the process of preparing for this audit.

Step 7: Repeat your risk assessment

Monitoring your risk factors will help you determine how often you should reassess your cybersecurity risk.

The NIST Cybersecurity Framework (officially titled Framework for Improving Critical Infrastructure Cybersecurity) was designed to aid critical infrastructure organizations in managing cybersecurity risk. The benefits of the NIST CSF, however, are available to any enterprise concerned about cybersecurity risk management. The U.S. Commerce Department recommends that every organization use the NIST CSF to identify and address its cybersecurity vulnerabilities.

Another NIST publication, NIST.IR.8170, Approaches for Federal Agencies to Use the Cyber Security Framework, lists eight approaches that organizations could take to integrate the CSF into their operations. Those approaches are:

1. Integrate enterprise and cybersecurity risk management by communicating with universally understood risk terms.
2. Manage cybersecurity requirements using a construct that enables integration and prioritization of requirements.
3. Integrate and align cybersecurity and acquisition processes by relaying cybersecurity requirements and priorities in common and concise language.
4. Evaluate organizational cybersecurity using a standardized and straightforward measurement scale and set of self-assessment criteria.
5. Manage the cybersecurity program by determining which cybersecurity outcomes necessitate common controls and apportioning work and responsibility for those cybersecurity outcomes.
6. Maintain a comprehensive understanding of cybersecurity risk using a standard organizing structure.
7. Report cybersecurity risks using a universal and understandable structure.
8. Inform the tailoring process using a comprehensive reconciliation of cybersecurity requirements.

NIST 800-53 lists six steps in the NIST Risk Management Framework for managing risk:

1. Categorize the information system.
2. Select the applicable security control baseline.
3. Implement the security controls and document the design, development, and implementation details for the controls.
4. Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome to meet the security requirements for the system.
5. Authorize information system operation based on determining risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable.
6. Monitor the security and controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the IT environment, and compliance with legislation, executive orders, directives, policies, regulations, and standards.

Federal agencies and organizations doing business with the federal government must verify that they comply with the appropriate NIST security controls.

To demonstrate compliance, you’ll need to pass a NIST security audit covering everything from risk assessment to incident response and recovery. Several resources are available to assist you with audit preparation, including our own NIST audit guide, Preparing for a NIST Audit: A Step-by-Step Guide. This guide contains a handy audit checklist using NIST SP 800-53.

Other resources are also available to help you prepare for your NIST cybersecurity audit:

• Baldrige Cybersecurity Excellence Builder: This self-assessment tool can help you assess the effectiveness of your cybersecurity risk management efforts and identify how you can improve.
• Cohesive Networks’ “Putting the NIST Cybersecurity Framework to Work”: This guide includes best practices for security audits, compliance, and communication.
• FINSECTECH’s Cybersecurity Framework as a Service: This user-friendly tool helps with management of cybersecurity frameworks.
• Information Systems Audit and Control Association’s: Implementing the NIST Cybersecurity Framework and Supplementary Toolkit
• Rivial Security’s Vendor Cybersecurity Tool: This is a guide to using the NIST CSF to assess vendor security.
• The Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) Cyber Security Evaluation Tool (CSET) download, introductory CSET video, and walkthrough video of the Cybersecurity Framework approach within CSET.

Instead of using an assortment of tools and spreadsheets to manage your NIST compliance, you can also use our NIST cybersecurity audit checklist in tandem with RiskOptics, our all-in-one governance, risk, and compliance software-as-a-service.

The ROAR platform tracks and manages your NIST controls and compliance for you — including showing how NIST compliance improves your compliance with other necessary regulations and requirements, such as the Sarbanes-Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS).

In this day and age, data security and privacy should be high on every organization’s list, including yours. Passing a NIST audit assures your enterprise, customers, and clients that your systems, networks, and data are safe from intrusion.

NIST, FISMA, and FedRAMP (the Federal Risk and Authorization Management Program) are all crucial pieces of guidance for federal government contractors as you try to build effective cybersecurity programs. We will explore how all three work together to guide cybersecurity, but for now think of them as three digits on the same hand. NIST is the thumb needed to make the others useful.

FISMA

FISMA is the federal law that requires effective information protection and cybersecurity in U.S. government systems. 

Who must comply with FISMA:

• Federal agencies
• State agencies that deal with federal data
• Organizations that administer federal funds
• Private-sector companies that receive federal grant money, support federal programs, or contract with federal agencies

The primary framework for FISMA compliance is NIST 800-53; compliant organizations receive an Authority to Operate (ATO) from the agency with which they are under contract. Organizations doing business with more than one agency must obtain an ATO from each, which may perform the security assessment or have a third-party assessor (3PAO) do so.

FedRAMP

FedRAMP aims to support federal agencies’ use of cloud computing and services and ensure the security of cloud products and services. It is akin to a seal of approval for cloud service providers. Once a provider is FedRAMP-compliant, it enters a dedicated FedRAMP marketplace, and government agencies can then contract with that provider without performing their own laborious audits and security checks; FedRAMP compliance already did that work.

The Role of NIST

NIST frameworks provide the basis for compliance with both FISMA and FedRAMP. If your business wants to comply with either requirement, so that you can bid on government contracts, your first step is to implement the NIST framework. 

FedRAMP and FISMA are both based on NIST 800-53, as are a number of other information security frameworks, including the Health Insurance Portability and Accountability Act (HIPAA).

FedRAMP and FISMA certifications are demanding and complex. Nevertheless, working your way through NIST 800-53 can pave the way for lucrative government contracts, and also demonstrates to nonfederal customers and clients that your enterprise meets the “gold standard” for security.

RiskOptics can ease your way to compliance with NIST and FedRAMP for smooth sailing on the federal-contracts seas.

In addition to the NIST CSF, another standard for information security is the SOC 2, established by the American Institute of Certified Public Accountants (AICPA). 

You can review our Ultimate Guide to SOC 2 for an in-depth look at the SOC 2 framework; we’ll explore their major differences and similarities below.

NIST vs. SOC 2: What’s the best choice for your business

The NIST CSF and NIST 800-53 and 800-171 are all designed to improve cybersecurity for providers of U.S. critical infrastructure, such as the energy and financial sectors.

• NIST CSF provides a flexible framework that any organization can use for creating and maintaining an information security program. NIST 800-53 and NIST 800-171 provide security controls for implementing NIST CSF.
• NIST 800-53 aids federal agencies and entities doing business with them to comply as required with FISMA. Containing over 900 requirements, NIST 800-53 is the most granular cybersecurity framework available.
• NIST 800-171 contains information security guidelines for the U.S. Department of Defense (DoD) and their contractors to help them comply with the Defense Federal Acquisition Regulation Supplement (DFARS). All DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must comply with DFARS, and hence NIST 800-171.

SOC 2, on the other hand, is designed specifically for auditors to use when assessing the data security and privacy controls of service providers such as cloud hosting services and payment processors. It’s not to be confused with SOC 1, a financial auditing framework that implements the AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE-18).

NIST vs. SOC 2: How they work

NIST CSF has five core principles:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

SOC 2 addresses five trust services categories:

1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy

NIST vs. SOC 2: Who uses them

NIST is written for cybersecurity professionals to use for designing and implementing a cybersecurity program.

SOC is intended for auditors to use to evaluate a service provider’s security and privacy controls.

NIST vs. SOC 2: How they intersect

Organizations can use NIST 800-53 to implement controls that will enable them to meet SOC 2 requirements.

Using NIST with other frameworks

The NIST CSF‘s core can also help organizations comply with a number of other security and privacy frameworks including the International Organization for Standardization’s ISO 27001 and the Health Insurance Portability and Accountability Act (HIPAA).

NIST compliance is voluntary for most, but required for federal government agencies and for organizations doing certain types of business with those agencies. Compliance with SOC 2 is voluntary, but may be required by entities wishing to contract with a service provider.

The NIST standards for CSF and special publications and the ISO 27000 series of information security management standards can help organizations improve their cybersecurity risk management.

That said, the intended audiences and uses of NIST and ISO differ in key respects. Here’s the breakdown:

NIST vs. ISO: Purpose

The NIST Cybersecurity Framework is a U.S.-based framework intended for use with federal information systems. It was developed to help federal agencies and U.S. critical infrastructure organizations secure their systems, networks, and data.

ISO is international. Its 27000 series of international standards were developed to help private companies develop and maintain information security management systems.

NIST vs. ISO: Users

Federal government agencies and organizations doing business with them are the primary users of NIST. The U.S. government requires all federal agencies to comply with FISMA, and NIST CSF can help with that compliance.

Private companies outside the United States, as well as multinational and international companies, are the main users of the ISO 27000 series, especially ISO/IEC 27001 and ISO/IEC 27002.

NIST vs. ISO: Assistive tools

NIST has a set of security controls, NIST SP 800-53, that helps with NIST CSF compliance.

ISO 27002 is a security control framework that helps with ISO 27001 compliance.

So ISO 27002 is the ISO equivalent of NIST 800-53.

Various NIST documents align with ISO to some extent: NIST CSF, NIST 800-30, NIST 800-37, NIST 800-53, NIST 800-53a.

NIST vs. ISO: Technical Level

NIST 800-53 provides information security controls in a variety of groups to help agencies and their contracting organizations with best practices in implementing and maintaining information systems.

ISO 27002 is less technical than NIST 800-53 and is more risk-focused for organizations of every size and type.

NIST vs. ISO: Structure

NIST 800-53 has 20 control families and hundreds of controls.

ISO 27001 has 14 control categories and 114 controls.

NIST vs. ISO: Certification

NIST has no official certification program; entities instead must self-certify.

ISO 27001 certification is available from American Institute of Certified Public Accountants-approved auditors.

NIST publishes standards, guidelines, recommendations, and research on data and information systems security and privacy.

Intended primarily for federal agencies and their third-party service providers, vendors, and contractors, NIST publications can be useful for any organization establishing or maintaining a cybersecurity system.

For example, compliance with NIST 800-53 is essential for organizations striving to meet FISMA requirements.

NIST provides a complete compendium of all its publications on the nist.gov website. Overall, the NIST technical publication series comprises the following:

• Federal Information Processing Standards (FIPS): Security standards.
• NIST Special Publications: NIST Guidelines, recommendations, and reference materials.
• NIST Internal or Interagency Reports: Reports of research findings, including background information for FIPS and SPs.
• NIST Information Technology Laboratory (ITL) Bulletins: Monthly overviews of NIST’s security and privacy publications, programs, and projects.

NIST has hundreds of special publications. They fall into three categories:

1. SP 800 series: Computer security
2. SP 1800 series: Cybersecurity practice guides
3. SP 500 series: Information technology (relevant documents)

NIST 800-series special publications include guidelines for establishing and maintaining information security programs, security controls, risk management guidance, technical information, and more. We’ve listed all the current NIST 800-series publications (except annual reports), starting with the most recent.

Final NIST 800 publications

• NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information
• NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation
• NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems
• NIST SP 800-52 Rev. 2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
• NIST SP 800-204 Security Strategies for Microservices-based Application Systems
• NIST SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations
• NIST SP 800-205 Attribute Considerations for Access Control Systems
• NIST SP 800-57 Part 2 Rev. 1 Recommendation for Key Management: Part 2—Best Practices for Key Management Organizations
• NIST SP 800-163 Rev. 1 Vetting the Security of Mobile Applications
• NIST SP 800-56B Rev. 2 Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography
• NIST SP 800-131A Rev. 2 Transitioning the Use of Cryptographic Algorithms and Key Lengths
• NIST SP 800-177 Rev. 1 Trustworthy Email
• NIST SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
• NIST SP 800-116 Rev. 1 Guidelines for the Use of PIV Credentials in Facility Access
• NIST SP 800-125A Rev. 1 Security Recommendations for Server-based Hypervisor Platforms
• NIST SP 800-202 Quick Start Guide for Populating Mobile Test Devices 
• NIST SP 800-193 Platform Firmware Resiliency Guidelines
• NIST SP 800-87 Rev. 2 Codes for Identification of Federal and Federally-Assisted Organizations
• NIST SP 800-56A Rev. 3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
• NIST SP 800-70 Rev. 4 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
• NIST SP 800-126 Rev. 3 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3
• NIST SP 800-126A SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3
• NIST SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation
• NIST SP 800-187 Guide to LTE Security
• NIST SP 800-63A Digital Identity Guidelines: Enrollment and Identity Proofing
• NIST SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management
• NIST SP 800-63C Digital Identity Guidelines: Federation and Assertions
• NIST 800-63-3 Digital Identity Guidelines
• NIST SP 800-67 Rev. 2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
• NIST SP 800-190 Application Container Security Guide
• NIST SP 800-192 Verification and Test Methods for Access Control Policies/Models
• NIST SP 800-12 Rev. 1 An Introduction to Information Security
• NIST SP 800-121 Rev. 2 Guide to Bluetooth Security
• NIST SP 800-185 SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
• NIST SP 800-184 Guide for Cybersecurity Event Recovery
• NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication
• NIST SP 800-150 Guide to Cyber Threat Information Sharing
• NIST SP 800-178 A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
• NIST SP 800-175A Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies
• NIST SP 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• NIST SP 800-114 Rev. 1 User’s Guide to Telework and Bring Your Own Device (BYOD) Security
• NIST SP 800-183 Networks of ‘Things’
• NIST SP 800-166 Derived PIV Application and Data Model Test Guidelines
• NIST SP 800-156 Representation of PIV Chain-of-Trust for Import and Export
• NIST SP 800-85A-4 PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
• NIST SP 800-38G Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
• NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
• NIST SP 800-73-4 Interfaces for Personal Identity Verification
• NIST SP 800-152 A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)
• NIST SP 800-167 Guide to Application Whitelisting
• NIST SP 800-79-2 Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)
• NIST SP 800-90A Rev. 1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
• NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security
• NIST SP 800-78-4 Cryptographic Algorithms and Key Sizes for Personal Identity Verification
• NIST SP 800-57 Part 3 Rev. 1 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
• NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials
• NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
• NIST SP 800-168 Approximate Matching: Definition and Terminology
• NIST SP 800-101 Rev. 1 Guidelines on Mobile Device Forensics
• NIST SP 800-81-2 Secure Domain Name System (DNS) Deployment Guide
• NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems
• NIST SP 800-83 Rev. 1 Guide to Malware Incident Prevention and Handling for Desktops and Laptops
• NIST SP 800-76-2 Biometric Specifications for Personal Identity Verification
• NIST SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
• NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments
• NIST SP 800-107 Rev. 1 Recommendation for Applications Using Approved Hash Algorithms
• NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide
• NIST SP 800-146 Cloud Computing Synopsis and Recommendations
• NIST SP 800-126 Rev. 2 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2
• NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs)
• NIST SP 800-135 Rev. 1 Recommendation for Existing Application-Specific Key Derivation Functions
• NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing
• NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
• NIST SP 800-145 The NIST Definition of Cloud Computing
• NIST SP 800-147 BIOS Protection Guidelines
• NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
• NIST SP 800-51 Rev. 1 Guide to Using Vulnerability Naming Schemes
• NIST SP 800-126 Rev. 1 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
• NIST SP 800-125 Guide to Security for Full Virtualization Technologies
• NIST SP 800-119 Guidelines for the Secure Deployment of IPv6
• NIST SP 800-132 Recommendation for Password-Based Key Derivation: Part 1: Storage Applications
• NIST SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems
• NIST SP 800-38A Addendum Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
• NIST SP 800-142 Practical Combinatorial Testing
• NIST SP 800-22 Rev. 1a A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
• NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
• NIST SP 800-38E Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices
• NIST SP 800-41 Rev. 1 Guidelines on Firewalls and Firewall Policy
• NIST SP 800-102 Recommendation for Digital Signature Timeliness
• NIST SP 800-66 Rev. 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
• NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
• NIST SP 800-60 Vol. 1 Rev. 1 Guide for Mapping Types of Information and Information Systems to Security Categories
• NIST SP 800-60 Vol. 2 Rev. 1 Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices
• NIST SP 800-123 Guide to General Server Security
• NIST SP 800-55 Rev. 1 Performance Measurement Guide for Information Security
• NIST SP 800-113 Guide to SSL VPNs
• NIST SP 800-28 Version 2 Guidelines on Active Content and Mobile Code
• NIST SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
• NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
• NIST SP 800-44 Version 2 Guidelines on Securing Public Web Servers
• NIST SP 800-95 Guide to Secure Web Services
• NIST SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
• NIST SP 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems
• NIST SP 800-100 Information Security Handbook: A Guide for Managers
• NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS)
• NIST SP 800-45 Version 2 Guidelines on Electronic Mail Security
• NIST SP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
• NIST SP 800-96 PIV Card to Reader Interoperability Guidelines
• NIST SP 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications
• NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
• NIST SP 800-92 Guide to Computer Security Log Management
• NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
• NIST SP 800-85B PIV Data Model Test Guidelines
• NIST SP 800-18 Rev. 1 Guide for Developing Security Plans for Federal Information Systems
• NIST SP 800-58 Security Considerations for Voice Over IP Systems
• NIST SP 800-72 Guidelines on PDA Forensics
• NIST SP 800-35 Guide to Information Technology Security Services
• NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
• NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
• NIST SP 800-49 Federal S/MIME V3 Client Profile
• NIST SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques
• NIST SP 800-16 Information Technology Security Training Requirements: a Role- and Performance-Based Model

Draft NIST 800 special publications

• NIST SP 800-38G Rev. 1 Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
• NIST SP 800-71 Recommendation for Key Establishment Using Symmetric Block Ciphers
• NIST SP 800-188 De-Identifying Government Datasets (3rd Draft)
• NIST SP 800-90C Recommendation for Random Bit Generator (RBG) Constructions
• NIST SP 800-154 Guide to Data-Centric System Threat Modeling
• NIST SP 800-180 NIST Definition of Microservices, Application Containers and System Virtual Machines
• NIST SP 800-155 BIOS Integrity Measurement Guidelines

The starting point for effective cybersecurity and privacy risk management is the development of a security plan. Once that plan is written, you’ll need to keep it up to date to protect the organization’s data and systems from new forms of threat, such as new malware.

Writing a security plan (or updating an existing one) can be complicated. Fortunately a number of tips and tools are available, including NIST evaluation tools, language technology tools, corpus-building tools, and planning tools. All can help your organization to meet its security risk management requirements, from planning to implementation to continuous monitoring and beyond.

If you decide that automating NIST compliance is the best solution, tools are available in the form of governance, risk, and compliance (GRC) software that can evaluate NIST compliance, identify compliance gaps, and help you fill them.

Your NIST Ransomware Recovery Checklist

As described earlier, we are seeing a sharp increase in ransomware attacks in the United States and worldwide. To address this trend, NIST has developed a ransomware recovery checklist that includes recommended steps for a fast recovery:

• Have a ransomware attack incident recovery plan ready before you need it. Practice the plan regularly and assure that everyone in your organization knows what to do should you get hit by ransomware.
• Assure that you have a working data backup and recovery plan in place, including a plan that secures access to data if the central computer is compromised.
• Have a list of contacts at the Federal Bureau of Investigation and other law enforcement agencies ready at all times.
• Understand any mandatory reporting and disclosure rules that may apply to your business.

For more detailed information, check out NIST’s Tips and Tactics on How to Deal With Ransomware Attacks.

Your NIST security plan toolbox

One of the first documents any organization serious about NIST should download and read is NIST Risk Management—Select Step—Tips and Techniques for Systems. This handy NIST guide walks you through the process of writing a NIST security plan step-by-step. Plus, it’s free.

NIST has also created a list of planning guides that can help you create, evaluate, and improve your business’s cybersecurity plan:

• Cybersecurity Resources Roadmap: This Department of Homeland Security document can help small and medium-sized businesses select the most useful cybersecurity resources based on their needs.
• Cyber Insurance: From the Federal Trade Commission (FTC), this site offers tips on choosing a cyber insurance policy.
• FCC Cyber Planner: The Federal Communication Commission’s (FCC) Small Biz Cyber Planner 2.0 is available online and helps small businesses create a customized security plan.
• Understanding the NIST Cybersecurity Framework: This overview of the popular information security framework provides guidance for how to use it in your business, from the FTC.
• Cybersecurity Risk Management: This is the FCC Communications Security, Reliability and Interoperability Council’s report on cybersecurity risk management and best practices.

Manufacturing sector guides

The manufacturing sector has its own set of cybersecurity challenges. In recognition of these special needs, NIST has published a list of security planning guidelines, especially for small manufacturers:

• Cybersecurity Framework Steps for Small Manufacturers helps small manufacturers understand the NIST Cybersecurity Framework and how they can use it to manage their cyber risks.
• NIST Manufacturing Profile—NISTIR 8183 provides cybersecurity framework details for manufacturing, including a guide for reducing cybersecurity risk in accordance with manufacturing sector goals and industry best practices.
• Manufacturers Guide to Cybersecurity for Small and Medium-Sized Manufacturers outlines common cybersecurity practices for small and medium-sized manufacturers.

NIST also has compiled a list of software packages to help organizations evaluate the various aspects of their cybersecurity program.

There are several ways to manage and monitor NIST compliance. Most of them are arduous. Automation  is not.

For example, you may choose to read the NIST CSF and use spreadsheets to write your NIST compliance plan of action and milestones, chart your risk management compliance, identify and fill information security gaps, and keep tabs on the assessment and monitoring of your third-party contractors’ and suppliers’ information systems and NIST compliance. With this option, you’ll be juggling many documents and toggling many screens.

You can do the same to implement NIST 800-53 or 800-171. Again, spreadsheets are a possibility — but a laborious, time-consuming, error-prone one. 

The best solution is to automate compliance mapping, management, and monitoring and let today’s most advanced governance, risk, and compliance (GRC) software do much of the work for you.

RiskOptics does everything you and your team can do for NIST compliance, but faster and more thoroughly. From the moment you log in to our software-as-a-service (SaaS) ROAR platform, RiskOptics performs the time-consuming drudge work so you don’t have to, including:

• Conducting a risk assessment of your information systems and those of your third-party vendors to see where you comply and where you fall short and enhance your asset management.
• Creating a plan of action and milestones for systems security and displaying it on user-friendly dashboards so you can see in real-time what needs to be done and who needs to do it.
• Mapping all compliance efforts and frameworks to avoid duplication so you can use your time and money more wisely.
• Providing continuous monitoring of your systems and flagging you when changes occur that could threaten your NIST compliance.
• Updating itself when NIST changes.
• Conducting automated, unlimited self-audits and organizing your documents in a “single source of truth” repository for easy retrieval at audit time.

No more hunting for documentation; no more searching emails or toggling screens: RiskOptic’s centralized, at-a-glance dashboards and simplified self-assessments can make aligning to NIST worry-free.

Then, you and your team can focus on keeping your data, systems, and networks secure and operational and your clients and customers happy.

Contact us now for a free RiskOptics demo.