Complete Guide to NIST: Cybersecurity Framework, 800-53, 800-171

The National Institute of Standards and Technology developed its cybersecurity framework, aka The Framework for Improving Critical Infrastructure Cybersecurity, to strengthen the security of United States critical infrastructure. NIST’s goal was to establish a common set of standards, goals, and language to increase information security and better remediation of the fallout after a cyberattack. A common language leads to better decision making and helps to shape a similar methodology across industries, something that’s very desirable when it comes to eradication of cyberattacks like phishing schemes and ransomware.

Released in 2014 under an executive order from President Barack Obama and updated in 2018, NIST CSF has become an invaluable risk management resource for private sector enterprises and public agencies. A 2017 executive order requires compliance with NIST CSF for federal government agencies and for entities in their supply chain.

NIST CSF comprises three components: framework core components, implementation tiers, and profiles. The core components are divided into five areas of cybersecurity:

• Identify
• Protect
• Detect
• Respond
• Recover

Each of these areas include lower-level activities for mitigating cybersecurity risk, and are further divided into categories and subcategories, which include descriptions of leading information security practices and incident response plans, as well as methods by which to best obtain successful ransomware recovery.

Special publications take a deeper dive into specific areas

In addition to the CSF, NIST has produced more than 200 special publications covering many aspects of cybersecurity risk management: identity access control, managing protective technology, responding to a cybersecurity event or incident, and much more.

Among the most widely used of the NIST publications is NIST 800-53, a set of controls intended to help organizations meet the requirements of the Federal Information Security Modernization Act (FISMA), which is mandatory for federal agencies and organizations that are part of their supply chain such as defense contractors.

Considered the cybersecurity gold standard among federal agencies, NIST 800-53 also governs compliance with the Federal Information Processing Standard Publication 200 (FIPS 200), to which compliance is mandatory for government-affiliated entities.

NIST Special Publication 800-30, a Guide to Conducting Risk Assessments, aides with cyber risk management, including controls and control baselines.

NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, helps systems and organizations that are not a part of the federal government protect their sensitive information. Compliance is required for entities doing business with the U.S. Department of Defense (DoD).

NIST published an update to the CSF in 2018. New to version 1.1 is guidance on self-assessments, supply chain risk management, interacting with supply-chain stakeholders, and developing a process for disclosing vulnerabilities.

NIST CSF is useful for all private enterprises wanting to improve their cybersecurity. But it was initially developed in the interest of protecting the country’s “critical infrastructure,” defined as the assets, systems, and functions deemed vital to the United States. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience, defines 16 critical infrastructure sectors:

• Chemical
• Commercial facilities
• Communications
• Critical manufacturing
• Dams
• Defense industrial base
• Emergency services
• Energy (including utilities)
• Financial services
• Food and agriculture
• Government facilities
• Health care companies and public health
• Information technology
• Nuclear reactors, materials, and waste
• Transportation systems
• Water and wastewater systems

Today, the framework is promoted as a valuable tool for businesses assessing risk and tightening security.

However, NIST CSF is also gaining popularity among nongovernment public entities including universities and research organizations, as is the more-detailed NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), compliance with which is required for DoD contractors, is based in part on NIST 800-171.

NIST defines the CSF’s core as a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors:

“The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.”

The CSF comprises these components:

• Implementation tiers: the degree to which your organization has implemented the NIST controls:
  • Tier 1—Partial
  • Tier 2—Risk-informed
  • Tier 3—Repeatable
  • Tier 4—Adaptive
• Framework core:
  • Functions: identify, protect, detect, respond, recover
  • Categories
  • Subcategories
  • Informative references
• Framework profiles: Your organization’s unique alignment of its security requirements and objectives, risk appetite and resources, measured against the desired outcomes cited in the framework core

The NIST Cybersecurity Framework (NIST CSF), Framework for Improving Critical Infrastructure Cybersecurity, consists of three main components: implementation tiers, framework core, and framework profile.

The framework core at the heart of the document lists five cybersecurity functions. Each function comprises categories, 23 in all, which in turn include 108 subcategories listing requirements and controls to be met as well as “informative references” providing a list of additional frameworks and other resources to consult for more information.

Keep in mind, however, that the NIST CSF is not intended as a one-size-fits-all framework. Each organization may decide which functions, categories, and subcategories it will comply with.
The functions, with their categories and subcategories, are:

1. Identify:

   Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

   • Asset management (ID.AM):

     • Your enterprise has identified the data, personnel, devices, systems, and facilities essential to its critical business services,
     • Your enterprise has prioritized those assets according to their importance and to the organization’s risk strategy, and
     • Your enterprise manages its assets according to their priority. This means that your organization has achieved these goals:
       • Taken inventory of all physical devices and systems;
       • Taken inventory of all software platforms and applications;
       • Mapped its communication and data flows;
       • Catalogued its external information systems;
       • Prioritized its resources (hardware, devices, data, time, personnel, and software) according to their classification, level of importance (criticality), and business value; and
       • Established cybersecurity roles and responsibilities enterprise-wide and for third-party stakeholders (suppliers, customers, partners).

   • Business environment (ID.BE):

     • Your teams understand the organization’s mission, objectives, stakeholders and activities as prioritized, and
     • Your teams use this information to inform cybersecurity roles, responsibilities, and risk management decisions. This means that they have
       • Identified and communicated your organization’s role in the supply chain;
       • Identified and communicated your organization’s place in critical infrastructure and its industry sector;
       • Established and communicated its priorities for mission, business objectives and activities;
       • Mapped its dependencies and critical functions for the delivery of critical services; and
       • Established resilience requirements to support the delivery of critical services during normal operations as well as during an attack or under duress and during recovery.

   • Governance (ID.GV):

     Cybersecurity risk managers and the board know, understand, and use your enterprise security policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements.

     • You’ve established and communicated the cybersecurity policy.
     • Your organization has coordinated and aligned cybersecurity roles and responsibilities with internal roles and external partners.
     • Managers understand and are overseeing compliance with legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations.
     • Your governance and risk management processes address cybersecurity risks.

   • Risk assessment (ID.RA):

     Your organization understands the cybersecurity risk to its operations (including mission, functions, image or reputation), assets, and people.

     • You’ve identified and documented the vulnerabilities to your assets;
     • You’ve arranged to get cyber threat intelligence from information sharing forums and sources;
     • You’ve identified and documented the threat environment, which is the threats your enterprise faces from internal and external sources;
     • You’ve identified potential business impacts of risks and threats, as well as the likelihood of their occurring;
     • You’ve used threats, vulnerabilities, likelihoods, and impacts to determine overall risk; and
     • You’ve identified and prioritized risk responses.

   • Risk management strategy (ID.RM):

     Your organization has established its priorities, constraints, risk tolerances, and assumptions, and uses them to support operational risk decisions.

     • You’ve established and actively manage a risk management processes, with stakeholders’ agreement.
     • You’ve determined and clearly expressed your organization’s risk tolerance.
     • In determining risk tolerance, you’ve considered your enterprise’s role in critical infrastructure, and have considered risk analyses of your sector.

   • Supply chain risk management (ID.SC):

     Your enterprise has set priorities, constraints, risk tolerances, and assumptions, and has defined processes to identify, assess, and manage supply chain risks.

     • You’ve identified, established, and assessed supply chain risk management processes and manage these with stakeholder agreement.
     • You’ve identified, prioritized, and assessed the suppliers and third-party partners of your information systems, components, and services using a cyber-supply-chain risk assessment process.
     • You use contracts with suppliers and third-party partners to help meet the objectives of your cybersecurity program and cyber-supply-chain risk management plan.
     • You routinely assess your suppliers and third-party partners using audits, test results, or other evaluations to confirm that they are meeting their contractual obligations.
     • You plan and test response and recovery procedures with suppliers and third-party providers.

2. Protect:

   Ensure that critical infrastructure services remain available.

   • Identity management, authentication, and access control (PR.AC):

     Only authorized users, processes, and devices can gain access to your physical and logical assets and associated facilities. How you manage this access depends on the risks associated with unauthorized access.

     • Issue, manage, verify, revoke and audit identities and credentials for authorized devices, users and processes;
     • Manage and protect physical access to assets;
     • Manage remote access;
     • Manage user accounts’ access permissions and administrative privileges using the principles of least privilege needed to do one’s job, and separation of duties;
       Protect network integrity using such means as network segregation and network segmentation, as well as updated antivirus software and secure data backup;
     • Proof and bind identities to credentials, and have them asserted in interactions; and
     • Authenticate users, devices, and other assets commensurate with the risk of each transaction.

   • Awareness and training (PR.AT):

     Your organization’s personnel and partners receive cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with policies, procedures, and agreements.

     • All users are informed and trained.
     • Privileged users understand their roles and responsibilities.
     • Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
     • Senior executives understand their roles and responsibilities.
     • Physical and cybersecurity personnel understand their roles and responsibilities.

   • Data security (PR.DS):

     Your organization manages data in concert with its data risk strategy to protect the confidentiality, integrity, and availability of information.

     • Your data at rest is protected.
     • Your data is protected while in transit.
     • You manage your assets as they are being transferred, removed, and disposed of.
     • You maintain adequate storage capacity to ensure that your data is always available.
     • You have protection against data leaks and established plans for recovery efforts.
     • You verify software, firmware, and information integrity.
     • Your development and testing environment(s) are separate from the production environment.

   • Information protection processes and procedures: (PR.IP):

     Your enterprise uses security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities, processes, and procedures to manage the protection of information systems and assets.

     • You have a baseline configuration of information technology/industrial control systems incorporating security principles (the “concept of least functionality”).
     • You have a systems development lifecycle for managing your systems.
     • You have processes for configuration change control.
     • You conduct, maintain, and test information backups.
     • Your physical operating environment for organizational assets meets policies and regulations.
     • You destroy data according to your policies.
     • You have improved your data protection processes.
     • You share the effectiveness of protection technologies.
     • You have response and recovery plans, and you manage them.
     • You regularly test your response and recovery plans.
     • Your human resources practices include cybersecurity measures such as deprovisioning and personnel screening.
     • You have a vulnerability management plan.

   • Maintenance (PR.MA):

     Your organization maintains and repairs its industrial control and information system components according to policies and procedures.

     • You maintain and repair organizational assets, and log those activities, with approved and controlled tools.
     • Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.

   • Protective technology (PR.PT):

     You manage technical security solutions to ensure your systems and assets are secure and resilient, consistent with organizational policies, procedures, and agreements.

     • You document and review your audit/log records according to policy.
     • You protect removable media and restrict its use according to policy.
     • You configure systems to provide each user with only what they need (“principle of least functionality”).
     • Your communications and control networks are protected.
     • You use mechanisms such as fail-safe, load balancing, and hot swap for greater resilience.

3. Detect:

   Develop and implement activities to identify cybersecurity events. Categories and subcategories are:

   • Anomalies and events (DE.AE):

     Your organization knows when anomalous activity occurs on your systems.

     • You maintain and manage a baseline of network operations and expected data flows for users and systems.
     • Your organization analyzes detected events to understand attack targets and methods.
     • Your systems collect and correlate event data from multiple sources and sensors.
     • You know the impacts of cybersecurity events.
     • You’ve established incident alert thresholds.

   • Security continuous monitoring (DE.CM):

     Your organization continuously monitors its information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures. Monitoring includes these areas:

     • The enterprise network
     • The physical environment
     • External service providers’ activity
     • Employee activity

   Monitoring should check for anomalies, including:

   • Malicious code
   • Unauthorized mobile code
   • Unauthorized users, connections, devices, and software
   • Vulnerabilities

   Detection process (DE.DP):

   Your organization maintains and tests its detection processes and procedures to ensure that it is aware of anomalous events.

   • You’ve defined roles and responsibilities for detection.
   • Your detection activities comply with requirements.
   • Your organization has tested its detection processes.
   • Event detection information gets communicated to those who need to know.
   • You continually improve your detection processes.

4. Respond:

   Develop and implement responses to detected cybersecurity events.

   • Response planning (RS.RP):

     Your enterprise has developed processes and procedures for responding to cybersecurity incidents.

     • You follow your response plan during or after an incident.

   • Communications (RS.CO):

     You coordinate response activities with internal and external stakeholders, including law enforcement agencies.

     • Employees know their roles and the order of operations when a response is needed.
     • Incidents are reported according to your criteria.
     • Your teams share information consistent with your response plans.
     • You coordinate with stakeholders according to your response plans.
     • You volunteer information on security incidents with external stakeholders, for broader awareness.

   • Analysis: (RS.AN):

     Your organization analyzes its response to cybersecurity incidents to improve and support recovery activities.

     • You investigate detection system notifications.
     • Your teams understand each incident’s impacts.
     • You perform forensic analyses.
     • You categorize incidents consistent with your response plans.
     • You have processes for receiving, analyzing, and responding to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins or security researchers).

   • Mitigation (RS.MI):

     Your organization works to prevent the expansion of events, mitigate events’ effects and resolve incidents.

     • Incidents are contained.
     • Incidents are mitigated.
     • You mitigate newly identified vulnerabilities or document them as accepted risks.

   • Improvements (RS.IM):

     You work to improve your organization’s responses to security threats, events, and incidents by incorporating lessons learned from current and previous detection/response activities.

     • Your response plans incorporate lessons learned.
     • You update response strategies as needed.

5. Recover:

   Develop and implement the appropriate actions to take upon detecting a cybersecurity event.

   • Recovery planning (RC.RP):

     You maintain recovery processes and procedures to restore systems or assets affected by cybersecurity incidents.

     • You follow your recovery plan during or after each cybersecurity incident.

   • Improvements (RC.IM):

     You improve your recovery planning and processes by incorporating lessons learned into future activities.

     • Your recovery plans incorporate lessons learned.
     • You continually update your recovery strategies.

   • Communications (RC.CO):

     Your organization coordinates its restoration activities with internal and external parties including coordinating centers, internet service providers, owners of attacking systems, victims, other computer security incident response teams, and vendors.

     • Your organization manages public relations post-incident.
     • Your enterprise repairs its reputation after an incident.
     • You notify internal and external stakeholders as well as executive and management teams about your recovery activities.

NIST compliance means something different depending on the NIST publication.

NIST CSF

Compliance with NIST CSF can ease the way to compliance with other security frameworks including the Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act (SOX). NIST CSF compliance, therefore, can mean saving time and expense down the road.

Many organizations choose to use NIST CSF, an information security framework, to assure themselves as well as their clients that their systems, network, and data are as safe as can be from a cybersecurity intrusion.

NIST 800-53

Implementing the security controls needed to comply with NIST 800-53 brings entities in line with the Federal Information Security Modernization Act (FISMA) and with the Federal Information Processing Standard Publication 200 (FIPS 200),. The NIST 800-53 security rules cover 18 areas, including access control, incident response, business continuity and disaster recovery.

For entities that are not federal agencies and are not affiliated with the federal government, compliance with any NIST framework or publication is voluntary.

NIST also can be used as a framework for conducting risk assessments. Of course, NIST has a special publication for that: NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments.

NIST 800-171

Organizations doing business with the U.S. Department of Defense (DoD) must comply with another set of NIST requirements: NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Non-Federal Information Systems.

NIST SP 800-171 is for nonfederal information systems and organizations that are DoD contractors and process, store, or transmit Controlled Unclassified Information (CUI).

These entities must meet the minimum security standards established by the Defense Federal Acquisition Regulation Supplement (DFARS), or lose their contracts. DFARS is based on NIST SP 800-171. So, compliance with NIST 800-171 is a must for these entities.

Steps to Becoming NIST 800-53 Compliant

Government agencies and their third-party contractors must comply with the Federal Information Security Management Act of 2002 (FISMA)–now the Federal Information Security Modernization Act–which NIST 800-53, Security and Privacy Controls for Federal Information Systems, helps them to do.

Toward that end, NIST has published a list of nine steps toward achieving compliance with FISMA:

1. Categorize data and information you need to protect.
2. Develop a baseline for the minimum controls required to protect that information.
3. Conduct risk assessments to refine your baseline controls.
4. Document your baseline controls in a written security plan.
5. Roll out security controls to your information systems.
6. Once you’ve implemented the controls, monitor their performance.
7. Determine your risk based on your assessment of security controls.
8. Authorize your information system for processing.
9. Conduct continuous monitoring of your security controls.

Non-government entities that contract with the U.S. Department of Defense may be required to comply not only with FISMA, but also with NIST 800-171, Protecting Controlled Unclassified Information in Non-Federal Information Systems.

NIST compliance, in other words, can be pretty confusing. Although NIST CSF is written in clear, easy-to-understand language, it’s only one of many NIST publications. And NIST CSF isn’t auditable, but was designed only for guidance.

To verify that you’re NIST-compliant (with either NIST 800-53, NIST 800-171, or both), you will need a NIST audit. Our NIST audit guide walks you through the process step-by-step so that you’ll be prepared when the auditor walks through your door.

But in general, you’ll need to complete these steps to ensure your entity’s compliance with NIST:

Step 1: Create a NIST Compliance Risk Management Assessment.

NIST 800-53 outlines precise controls and provides supplemental guidance for creating a proper risk assessment. NIST 800-171, however, provides but a few sentences describing the risk assessment process. So, even if you’re striving to comply with NIST 800-171, you’ll need to refer to NIST 800-53.

Step 2: Design and implement NIST-compliant access controls.

The contracting agency may prescribe controls; your organizational risk assessment should support them. NIST 800-53 and NIST 800-171 provide guidance on how to design, implement and operate needed controls.

Step 3: Monitor your controls.

Step 4: Prepare for your third-party audit/assessment.

Both NIST 800-53 and 800-171 require audit programs. Governance, risk and compliance software can help with this step. ZenGRC, for instance, conducts unlimited self-audits with just a few clicks and stores all your audit documentation in one place. Consider it the “Single Source of Truth” repository, for easy access at audit time.

Step 5: Create a plan of action and milestones to measure your compliance success.

ZenGRC can help with this, and with every aspect of NIST compliance management: assessing your risk and NIST compliance gaps, telling you what controls you need to implement, walking you step-by-step through the process all the way to the finish, and managing and organizing your audit documentation.

Doesn’t that sound much easier than juggling spreadsheets?

Step 6: Submit for your Authorization to Operate (ATO).

To attain your NIST ATO, you’ll need to complete a NIST audit. Our NIST audit guide leads you step-by-step through the process of preparing for this audit.

Step 7: Repeat your risk assessment.

Monitoring your risk factors will help you determine how often you should reassess your cybersecurity risk.

The NIST Cybersecurity Framework, officially titled Framework for Improving Critical Infrastructure Cybersecurity, was designed to aid critical infrastructure organizations in managing cybersecurity risk. But the benefits of NIST are available to any enterprise concerned about cybersecurity risk management.

The U.S. Secretary of Commerce suggests that every organization should use the NIST CSF to identify and address its cybersecurity vulnerabilities.

“The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEOs,” Secretary of Commerce Wilbur Ross has stated on the NIST website.

In addition to the framework, NIST has developed more than 100 publications to help with cybersecurity.

Most widely used are NIST CSF, NIST SP 800-53 and NIST SP 800-171.

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations provides the controls needed to implement the NIST CSF.

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is required for every organization contracting with the U.S. Department of Defense (DoD).

These publications can help your enterprise to determine risk and plan and achieve important protection measures at and beyond the minimum controls needed to safeguard access to systems and data.

Another NIST publication, NIST.IR.8170, Approaches for Federal Agencies to Use the Cyber Security Framework, lists eight approaches for using the NIST CSF, stating that federal agencies and the private sector may all benefit. These approaches also help with FISMA compliance, according to the document, They are:

1. Integrate enterprise and cybersecurity risk management by communicating with universally understood risk terms.
2. Manage cybersecurity requirements using a construct that enables integration and prioritization of requirements.
3. Integrate and align cybersecurity and acquisition processes by relaying cybersecurity requirements and priorities in common and concise language.
4. Evaluate organizational cybersecurity using a standardized and straightforward measurement scale and set of self-assessment criteria.
5. Manage the cybersecurity program by determining which cybersecurity outcomes necessitate common controls and apportioning work and responsibility for those cybersecurity outcomes.
6. Maintain a comprehensive understanding of cybersecurity risk using a standard organizing structure.
7. Report cybersecurity risks using a universal and understandable structure.
8. Inform the tailoring process using a comprehensive reconciliation of cybersecurity requirements.

NIST 800-53 lists six steps in the NIST Risk Management Framework for managing risk:

1. Categorize the information system.
2. Select the applicable security control baseline.
3. Implement the security controls and document the design, development, and implementation details for the controls.
4. Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
5. Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable.
6. Monitor the security and controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance with legislation, executive orders, directives, policies, regulations, and standards.

Federal agencies and entities doing business with the federal government must verify that they are in compliance with the appropriate NIST security controls.

For instance, all organizations contracting with the U.S. Department of Defense are required to comply with the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), which is based in part on NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Compliance with the NIST Cybersecurity Framework (NIST CSF) is completely voluntary for nonfederal information systems. A thorough compendium of information security rules and guidelines, NIST CSF is a flexible risk management framework adaptable and usable by any enterprise wishing to create or improve its security program.

To demonstrate compliance, you’ll need to pass a NIST security audit, which covers everything from risk assessment to incident response and recovery. A number of resources are available to assist you with your audit preparation, including our own NIST audit guide, Preparing for a NIST Audit: A Step-by-Step Guide. This guide contains a handy NIST audit checklist using NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, which provides NIST audit controls for implementing the CSF.

NIST 800-53 governs compliance with the Federal Information Processing Standard Publication 200 (FIPS 200), which is mandatory for all government-affiliated entities.

Looking for a NIST cybersecurity assessment tool to download? Resources are available to help you prepare for your NIST cybersecurity audit:

• Baldrige Cybersecurity Excellence Builder: This self-assessment tool can help you assess the effectiveness of your cybersecurity risk management efforts and identify how you can improve.
• Cohesive Networks’ “Putting the NIST Cybersecurity Framework to Work”: This guide for using the NIST Framework includes best practices for security audits, compliance, and communication.
• FINSECTECH’s Cybersecurity Framework as a Service: This user-friendly tool helps with management of cybersecurity frameworks.
• Information Systems Audit and Control Association’s: Implementing the NIST Cybersecurity Framework and Supplementary Toolkit
• ISACA’s Cybersecurity: Based on the NIST Cybersecurity Framework: Covers subprocesses such as asset management, awareness training, data security, resource planning, recovery planning and communications.
• Rivial Security’s Vendor Cybersecurity Tool: This is a guide to using the NIST CSF to assess vendor security.
• The Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) Cyber Security Evaluation Tool (CSET) download, fact sheet, introductory CSET video, and walkthrough video of the Cybersecurity Framework approach within CSET.
• University of Maryland Robert H. Smith School of Business Supply Chain Management Center’s CyberChain Portal-Based Assessment Tool provides guidelines for measuring and assessing cyber-supply-chain risk.

Or, instead of using a hodgepodge of tools and spreadsheets to manage your NIST compliance, use our NIST cybersecurity audit checklist in tandem with ZenGRC, our all-in-one governance, risk, and compliance software-as-a-service.

ZenGRC tracks and manages your NIST controls and compliance for you—including showing how NIST compliance improves your compliance with other important regulations and requirements such as the Sarbanes-Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS).

In this day and age, data security and privacy ought to be high on every organization’s list, including yours. Passing a NIST audit assures your enterprise, customers, and clients that your systems, networks, and data—and their data, as well—are safe from intrusion.

Think of the NIST, the Federal Risk and Authorization Management Program (FedRAMP), and the Federal Information Security Modernization Act (FISMA) as three fingers on the same hand.

NIST is the thumb needed to make the others useful.

Federal agencies must comply with the FISMA, which NIST 800-53 helps to achieve. Compliance with NIST CSF may also entail compliance with NIST SP 800-53, the set of illustrative security controls referenced in the NIST CSF.

Who must comply with FISMA:

• Federal agencies
• State agencies that deal with federal data
• Organizations that administer federal funds
• Private-sector companies that receive federal grant money, support federal programs, or contract with federal agencies must comply with FISMA.

Cloud service providers doing business with the federal government must meet FedRAMP requirements. FedRAMP and FISMA are both based on NIST 800-53—as are a number of other information security frameworks including the Health Insurance Portability and Accountability Act (HIPAA).

To help you see how NIST, FedRAMP, and FISMA intersect, let’s take a brief look at each program.

NIST

NIST, an agency belonging to the U.S. Department of Commerce, provides guidelines on cybersecurity of information systems. The NIST CSF was designed primarily to tighten the security of U.S. critical infrastructures such as the energy and financial sectors, but the U.S. government now uses it for all federal information systems.

For non federal agencies and providers, NIST compliance is voluntary, but an increasing number are using it to ensure their systems are secure as can be, and to satisfy their clients and customers’ concerns about cybersecurity.

FISMA

FISMA requires government agencies and contracting organizations to use a risk-based approach when implementing their information security controls.

The primary framework for FISMA compliance is NIST 800-53; compliant organizations receive an Authority to Operate (ATO) from the agency with which they are under contract. Organizations doing business with more than one agency must obtain an ATO from each, which may perform the security assessment or have a third-party assessor (3PAO) do so.

FedRAMP

FedRAMP aims to support federal agencies’ use of cloud computing and services and ensure the security of cloud products and services.

Because FedRAMP’s controls are based on NIST 800-53, cloud service providers wishing to contract with the federal government use NIST to meet the qualifications for an ATO. FedRAMP’s accelerated process allows organizations that obtain an ATO or provisional authorization (P-ATO) from the FedRAMP Joint Authorization Board (JAB) to use that ATO when contracting with all federal agencies.

FedRAMP and FISMA certifications are demanding and complex. Compliance with NIST can ease the way for both—but NIST 800-53 has 108 controls! Nevertheless, checking off the NIST list can not only pave the way for lucrative government contracts, but also demonstrate to nonfederal customers and clients that your enterprise meets the “gold standard” for security.

ZenGRC can ease your way to compliance with NIST and FedRAMP for smooth sailing on the federal-contracts seas.

Both the NIST CSF and the American Institute of Certified Public Accountants’ (AICPA) Systems and Organization Controls for Service Organizations 2 (SOC 2) are risk management frameworks governing information security.

Check out our Ultimate Guide to SOC 2 for an in-depth look at the SOC 2 framework.

NIST vs. SOC 2: What’s the Best Pick for Your Business

The NIST CSF and NIST special publications 800-53 and 800-171 are designed to improve cybersecurity for providers of U.S. critical infrastructure, such as the energy and financial sectors.

• NIST CSF provides a flexible framework that any organization can use for creating and maintaining an information security program. NIST 800-53 and NIST 800-171 provide security controls for implementing NIST CSF.
• NIST 800-53 aids federal agencies and entities doing business with them to comply as required with FISMA. Containing over 900 requirements, NIST 800-53 is the most granular cybersecurity framework available.
• NIST 800-171 contains information security guidelines for the U.S. Department of Defense (DoD) and their contractors to help them comply with the Defense Federal Acquisition Regulation Supplement (DFARS). All DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must comply with DFARS and, hence, NIST 800-171.
• SOC 2 is designed specifically for auditors to use when assessing the data security and privacy controls of service providers such as cloud hosting services and payment processors. It’s not to be confused with SOC 1, a financial auditing framework that implements the AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE-18).

NIST vs. SOC 2: How they work

NIST 800-53 contains 108 controls in 20 control families.

NIST CSF has five core principles:

• Identify
• Protect
• Detect
• Respond
• Recover

SOC 2 addresses five trust services categories:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

NIST vs. SOC 2: Who uses them

NIST is written for cybersecurity professionals to use in designing and implementing a cybersecurity program.

SOC is intended for auditors to use to evaluate a service provider’s security and privacy controls.

NIST vs. SOC 2: How they intersect

Organizations can use NIST 800-53 to implement controls that will enable them to meet SOC 2 requirements.

Using NIST with other frameworks

The NIST CSF‘s core can also help organizations comply with a number of other security and privacy frameworks including the International Organization for Standardization’s ISO 27001, Information security management, and the Health Insurance Portability and Accountability Act (HIPAA).

NIST compliance is voluntary for most but required for federal government agencies and for organizations doing certain types of business with those agencies.

Compliance with SOC 2 is voluntary but may be required by entities wishing to contract with a service provider.

The NIST CSF and special publications and the International Organization for Standardization (ISO)’s 27000 series of information security management standards can both help organizations improve their cybersecurity risk management.

But the intended audiences and uses of NIST and ISO differ in key respects.

Here’s the breakdown:

NIST vs. ISO: Purpose

The NIST Cybersecurity Framework is a United States-based framework intended for use with federal information systems. It was developed to help federal agencies and U.S. critical infrastructure organizations secure their systems, networks, and data.

ISO is international. Its 27000 series of international standards were developed to help private companies develop and maintain information security management systems.

NIST vs. ISO: Users

Federal government agencies and organizations doing business with them are the primary users of NIST; the U.S. government requires all federal agencies to comply with FISMA, and NIST CSF can be used to help with that compliance.

Private companies outside the U.S. as well as multinational and international companies are the main users of the ISO 27000 series, especially ISO/IEC 27001 and ISO/IEC 27002.

NIST vs. ISO: Assistive tools

NIST has a set of security controls, NIST SP 800-53, that helps with NIST CSF compliance.

ISO 27002 is a security control framework that helps with ISO 27001 compliance.

So ISO 27002 is the ISO equivalent of NIST 800-53.

Various NIST documents align somewhat with ISO: NIST CSF, NIST 800-30, NIST 800-37, NIST 800-53, NIST 800-53a.

NIST vs. ISO: Technical level

NIST 800-53 provides information security controls in a variety of groups to help agencies and their contracting organizations use best practices in implementing and maintaining information systems.

ISO 27002 is less technical than NIST 800-53, and is more risk-focused for organizations of every size and type.

NIST vs. ISO: Structure

NIST 800-53 has 20 control families and hundreds of controls.

ISO 27001 has 14 control categories and 114 controls.

NIST vs. ISO: Certification

NIST has no official certification program; entities instead must self-certify.

ISO 27001 certification is available from American Institute of Certified Public Accountants-approved auditors.

The National Institute for Standards and Technology publishes standards, guidelines, recommendations, and research on data and information systems security and privacy.

Intended primarily for federal agencies and their third-party service providers, vendors, and contractors, NIST publications can be a useful resource for any organization establishing or maintaining a cybersecurity system.

Compliance with NIST 800-53, for example, is essential for organizations striving to meet FISMA requirements.

NIST provides a complete compendium of all its publications on the nist.gov website. Overall, the NIST technical publication series comprises

• Federal Information Processing Standards (FIPS): Security standards
• NIST Special Publications: Guidelines, recommendations and reference materials
• NIST Internal or Interagency Reports: Reports of research findings, including background information for FIPS and SPs
• NIST Information Technology Laboratory (ITL) Bulletins: Monthly overviews of NIST’s security and privacy publications, programs and projects

NIST has hundreds of special publications. They fall into three categories:

• SP 800 — Computer security
• SP 1800 — Cybersecurity practice guides
• SP 500 — Information technology (relevant documents)

The NIST glossary defines its special publications this way: A type of publication issued by NIST. Specifically, the NIST Special Publication 800 series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

NIST 800-series special publications include guidelines for establishing and maintaining information security programs, security controls, risk management guidance, technical information, and more. Here we’ve listed all the current NIST 800-series publications (except annual reports), starting with the most recent.

Final NIST 800 publications

• NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information
• NIST SP 800-171 Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation
• NIST SP 800-160 Vol. 2 Developing Cyber Resilient Systems: A Systems Security Engineering Approach
• NIST SP 800-128  Guide for Security-Focused Configuration Management of Information Systems
• NIST SP 800-52 Rev. 2  Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
• NIST SP 800-204 Security Strategies for Microservices-based Application Systems
• NIST SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations
• NIST SP 800-133 Rev. 1 Recommendation for Cryptographic Key Generation
• NIST SP 800-205 Attribute Considerations for Access Control Systems
• NIST SP 800-57 Part 2 Rev. 1 Recommendation for Key Management: Part 2—Best Practices for Key Management Organizations
• NIST SP 800-163 Rev. 1 Vetting the Security of Mobile Applications
• NIST SP 800-56B Rev. 2 Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography
• NIST SP 800-131A Rev. 2 Transitioning the Use of Cryptographic Algorithms and Key Lengths
• NIST SP 800-177 Rev. 1 Trustworthy Email
• NIST SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
• NIST SP 800-116 Rev. 1 Guidelines for the Use of PIV Credentials in Facility Access
• NIST SP 800-125A Rev. 1 Security Recommendations for Server-based Hypervisor Platforms
• NIST SP 800-202 Quick Start Guide for Populating Mobile Test Devices  \
• NIST SP 800-193 Platform Firmware Resiliency Guidelines
• NIST SP 800-87 Rev. 2 Codes for Identification of Federal and Federally-Assisted Organizations
• NIST SP 800-56C Rev. 1 Recommendation for Key-Derivation Methods in Key-Establishment Schemes
• NIST SP 800-56A Rev. 3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
• NIST SP 800-160 Vol. 1 Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
• NIST SP 800-70 Rev. 4 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
• NIST SP 800-126 Rev. 3 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3
• NIST SP 800-126A SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3
• NIST SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation
• NIST SP 800-187 Guide to LTE Security
• NIST SP 800-63A Digital Identity Guidelines: Enrollment and Identity Proofing
• NIST SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management
• NIST SP 800-63C Digital Identity Guidelines: Federation and Assertions
• NIST 800-63-3 Digital Identity Guidelines
• NIST SP 800-67 Rev. 2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
• NIST SP 800-190 Application Container Security Guide
• NIST SP 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework
• NIST SP 800-192 Verification and Test Methods for Access Control Policies/Models
• NIST SP 800-12 Rev. 1 An Introduction to Information Security
• NIST SP 800-121 Rev. 2 Guide to Bluetooth Security
• NIST SP 800-185 SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
• NIST SP 800-184 Guide for Cybersecurity Event Recovery
• NIST SP 800-179 Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist
• NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication
• NIST SP 800-150 Guide to Cyber Threat Information Sharing
• NIST SP 800-178 A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
• NIST SP 800-175A Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies
• NIST SP 800-175B Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
• NIST SP 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• NIST SP 800-114 Rev. 1 User’s Guide to Telework and Bring Your Own Device (BYOD) Security
• NIST SP 800-183 Networks of ‘Things’
• NIST SP 800-166 Derived PIV Application and Data Model Test Guidelines
• NIST SP 800-156 Representation of PIV Chain-of-Trust for Import and Export
• NIST SP 800-85A-4 PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
• NIST SP 800-38G Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
• NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
• NIST SP 800-73-4 Interfaces for Personal Identity Verification
• NIST SP 800-57 Part 1 Rev. 4 Recommendation for Key Management, Part 1: General
• NIST SP 800-152 A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)
• NIST SP 800-167 Guide to Application Whitelisting
• NIST SP 800-79-2 Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)
• NIST SP 800-90A Rev. 1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
• NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security
• NIST SP 800-78-4 Cryptographic Algorithms and Key Sizes for Personal Identity Verification
• NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations
• NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP 800-57 Part 3 Rev. 1 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
• NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials
• NIST SP 800-53A Rev. 4  Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
• NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
• NIST SP 800-147B BIOS Protection Guidelines for Servers
• NIST SP 800-168 Approximate Matching: Definition and Terminology
• NIST SP 800-101 Rev. 1 Guidelines on Mobile Device Forensics
• NIST SP 800-81-2 Secure Domain Name System (DNS) Deployment Guide
• NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems
• NIST SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies
• NIST SP 800-83 Rev. 1 Guide to Malware Incident Prevention and Handling for Desktops and Laptops
• NIST SP 800-76-2 Biometric Specifications for Personal Identity Verification
• NIST SP 800-124 Rev. 1 Guidelines for Managing the Security of Mobile Devices in the Enterprise
• NIST SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
• NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments
• NIST SP 800-107 Rev. 1 Recommendation for Applications Using Approved Hash Algorithms
• NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide
• NIST SP 800-146 Cloud Computing Synopsis and Recommendations
• NIST SP 800-126 Rev. 2 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2
• NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs)
• NIST SP 800-135 Rev. 1 Recommendation for Existing Application-Specific Key Derivation Functions
• NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing
• NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
• NIST SP 800-145 The NIST Definition of Cloud Computing
• NIST SP 800-147 BIOS Protection Guidelines
• NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
• NIST SP 800-51 Rev. 1 Guide to Using Vulnerability Naming Schemes
• NIST SP 800-126 Rev. 1 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
• NIST SP 800-125 Guide to Security for Full Virtualization Technologies
• NIST SP 800-119 Guidelines for the Secure Deployment of IPv6
• NIST SP 800-132 Recommendation for Password-Based Key Derivation: Part 1: Storage Applications
• NIST SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems
• NIST SP 800-38A Addendum Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
• NIST SP 800-142 Practical Combinatorial Testing
• NIST SP 800-22 Rev. 1a A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
• NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
• NIST SP 800-38E Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices
• NIST SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions (Revised)
• NIST SP 800-41 Rev. 1 Guidelines on Firewalls and Firewall Policy
• NIST SP 800-102 Recommendation for Digital Signature Timeliness
• NIST SP 800-106 Randomized Hashing for Digital Signatures
• NIST SP 800-66 Rev. 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
• NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
• NIST SP 800-60 Vol. 1 Rev. 1 Guide for Mapping Types of Information and Information Systems to Security Categories
• NIST SP 800-60 Vol. 2 Rev. 1 Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices
• NIST SP 800-123 Guide to General Server Security
• NIST SP 800-55 Rev. 1 Performance Measurement Guide for Information Security
• NIST SP 800-113 Guide to SSL VPNs
• NIST SP 800-28 Version 2 Guidelines on Active Content and Mobile Code
• NIST SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
• NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
• NIST SP 800-44 Version 2 Guidelines on Securing Public Web Servers
• NIST SP 800-95 Guide to Secure Web Services
• NIST SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
• NIST SP 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems
• NIST SP 800-100 Information Security Handbook: A Guide for Managers
• NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS)
• NIST SP 800-45 Version 2 Guidelines on Electronic Mail Security
• NIST SP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
• NIST SP 800-96 PIV Card to Reader Interoperability Guidelines
• NIST SP 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications
• NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
• NIST SP 800-92 Guide to Computer Security Log Management
• NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
• NIST SP 800-85B PIV Data Model Test Guidelines
• NIST SP 800-18 Rev. 1 Guide for Developing Security Plans for Federal Information Systems
• NIST SP 800-77 Guide to IPsec VPNs
• NIST SP 800-58 Security Considerations for Voice Over IP Systems
• NIST SP 800-72 Guidelines on PDA Forensics
• NIST SP 800-35 Guide to Information Technology Security Services
• NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
• NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
• NIST SP 800-49 Federal S/MIME V3 Client Profile
• NIST SP 800-47 Security Guide for Interconnecting Information Technology Systems
• NIST SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques
• NIST SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
• NIST SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
• NIST SP 800-16 Information Technology Security Training Requirements: a Role- and Performance-Based Model
• NIST SP 800-15 MISPC Minimum Interoperability Specification for PKI Components, Version 1

Draft NIST 800 special publications

• NIST SP 1800-26 Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
• NIST SP 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
• NIST SP 800-204A Building Secure Microservices-based Applications Using Service-Mesh Architecture
• NIST SP 800-137A Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment
• NIST SP 800-208 Recommendation for Stateful Hash-Based Signature Schemes
• NIST SP 800-186  Recommendations for Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters
• NIST SP 800-140A CMVP Documentation Requirements: CMVP Validation Authority Updates to ISO/IEC 24759
• NIST SP 800-140D CMVP Approved Sensitive Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759:2014(E)
• NIST SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation Authority Updates to ISO/IEC 24759:2014(E)
• NIST SP 800-140 FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759
• NIST SP 800-140B CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B
• NIST SP 800-140C CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759
• NIST SP 800-140E CMVP Approved Authentication Mechanisms: CMVP Validation Authority Requirements for ISO/IEC 19790:2012 Annex E and ISO/IEC 24579:2017
• NIST SP 800-57 Part 1 Rev. 5 Recommendation for Key Management: Part 1—General
• NIST SP 800-207 Zero Trust Architecture
• NIST SP 800-175B Rev. 1 Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
• NIST SP 800-77 Rev. 1 Guide to IPsec VPNs
• NIST SP 800-171B  Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
• NIST SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NIST SP 800-38G Rev. 1 Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
• NIST SP 800-179 Rev. 1 Guide to Securing Apple macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist
• NIST SP 800-71 Recommendation for Key Establishment Using Symmetric Block Ciphers
• NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-188 De-Identifying Government Datasets (2nd Draft)
• NIST SP 800-90C Recommendation for Random Bit Generator (RBG) Constructions
• NIST SP 800-154 Guide to Data-Centric System Threat Modeling
• NIST SP 800-180 NIST Definition of Microservices, Application Containers and System Virtual Machines
• NIST SP 800-85B-4 PIV Data Model Test Guidelines
• NIST SP 800-164  Guidelines on Hardware-Rooted Security in Mobile Devices
• NIST SP 800-94 Rev. 1 Guide to Intrusion Detection and Prevention Systems (IDPS)
• NIST SP 800-155 BIOS Integrity Measurement Guidelines

Developing a security plan is the starting point for effective cybersecurity and privacy risk management. And, once it’s written, you’ll need to keep it up to date to protect your data and systems from the newest wave of threats, such as malware.

Whether you’re writing a security plan for your organization or updating the one you have, the NIST CSF, Framework for Improving Critical Infrastructure Cybersecurity, is a valuable resource whether yours is a public – or private-sector organization, a part of the U.S. critical infrastructure or not.

NIST CSF is written in accessible language to be as user-friendly as possible, but it doesn’t implement itself. For that, you need controls.

If writing a security plan sounds complicated, that’s because it is. But whoever said that effective information security was easy?

Fortunately, a number of tips and tools are available, including NIST evaluation tools, language technology tools, corpus-building tools, and planning tools, to help your organization meet all its security risk management requirements from planning to implementation to continuous monitoring and beyond.

And if you decide that automating your NIST compliance is the best solution? Tools are available for that as well, in the form of governance, risk, and compliance software that’s also NIST audit software capable of evaluating your NIST compliance, and identifying and helping you to fill compliance gaps.

Your NIST Ransomware Recovery Checklist

As described earlier, we are seeing a severe increase in the number of ransomware attacks both in the United States and around the world. To address this trend, NIST has developed a ransomware recovery checklist which includes these recommended steps for a fast recovery:

• Have a ransomware attack incident recovery plan ready to go before you need it. Practice the plan on a regular basis and make sure everyone in your organization knows exactly what to do, should you get hit by ransomware.
• Make sure you have a working data backup and recovery plan in place, including a plan that secures access to your data should your main computer systems become compromised.
• Have a list of contacts at the Federal Bureau of Investigation and other law enforcement agencies on hand at all times.
• Understand any mandatory reporting and disclosure rules that may apply to your business.

For more detailed information check out NIST’s Tips and Tactics on How To Deal With Ransomware Attacks.

Your NIST security plan toolbox

One of the first documents any organization serious about NIST should download and read is NIST Risk Management — Select Step — Tips and Techniques for Systems. This handy NIST guide walks you step-by-step through the process of writing a NIST security plan. And it’s free!

NIST has also created a list of government-generated planning guides that can help you create, evaluate, and improve your business’s cybersecurity plan:

• Cybersecurity Resources Roadmap — This Department of Homeland Security document aims to help small and medium-sized businesses select the most useful cybersecurity resources based on their needs.
• Cyber Insurance — From the Federal Trade Commission (FTC), this site offers tips on choosing a cyber insurance policy.
• FCC Cyber Planner — If yours is a small business wanting to create its own customized security plan, the Federal Communication Commission’s (FCC) Small Biz Cyber Planner 2.0, available online, is for you.
• Understanding the NIST Cybersecurity Framework — This overview of the popular information security framework provides guidance for how to use it in your business, from the FTC.
• Cybersecurity Risk Management — This is the FCC Communications Security, Reliability and Interoperability Council’s report on cybersecurity risk management and best practices.

Manufacturing sector guides

The manufacturing sector has its own set of cybersecurity challenges. In recognition of these special needs, NIST has published a list of security planning guidelines especially for small manufacturers:

• Cybersecurity Framework Steps for Small Manufacturers helps small manufacturers understand the NIST Cybersecurity Framework and how they can use it to manage their cyber risks.
• NIST Manufacturing Profile—NISTIR 8183 provides cybersecurity framework details for manufacturing including a guide for reducing cybersecurity risk in accord with manufacturing sector goals and industry best practices.
• Manufacturers Guide to Cybersecurity for Small and Medium-Sized Manufacturers outlines common cybersecurity practices for small and medium-sized manufacturers.

NIST also has compiled a list of software packages to help organizations evaluate the various aspects of their cybersecurity program.

There are a number of ways to manage and monitor your NIST compliance. Most of them are arduous. Automation, however, is not.

For example, you may choose to read the NIST CSF and use spreadsheets to write your NIST compliance plan of action and milestones, chart your risk management compliance, identify and fill information security gaps, and keep tabs on the assessment and monitoring of your third-party contractors’ and suppliers’ information systems and NIST compliance.

With this option, though, you’ll be juggling a lot of documents and toggling a lot of screens.

Or, if yours is a federal agency or an organization doing business with federal agencies, you can use NIST Special Publication 800-53 to implement the security controls your organization needs to be NIST CSF compliant, and keep track of your progress using, again, spreadsheets.

Or if you’re contracting with the U.S. Department of Defense, you can aim for compliance with NIST 800-171.
But even all the tips, tricks, and techniques listed in the section above won’t make compliance easy.

Also, you can manually map your compliance with other security and risk management frameworks and requirements including ISO 27001, FISMA, SOC 2, and, for cloud providers, FedRAMP, so you know you’re not duplicating your efforts or doing more for NIST compliance than you need to.

But manual mapping is laborious, time-consuming, and not cost-effective.

The best solution is to automate your compliance mapping, management, and monitoring, and let today’s most advanced governance, risk, and compliance (GRC) software do much of the work for you.

ZenGRC does everything you and your people can do for NIST compliance, but faster and more thoroughly. From the moment you log in to our software-as-a-service (SaaS), ZenGRC performs the time-consuming drudge work so you don’t have to, including:

• Conducting a risk assessment of your information systems and those of your third-party vendors to see where you comply and where you fall short, and enhance your asset management
• Creating a plan of action and milestones for systems security and displaying it on user-friendly dashboards so you can see in real-time what needs to be done, and who needs to do it
• Mapping all your compliance efforts and frameworks so you can avoid duplication and use your time and money wisely
• Providing continuous monitoring of your systems, and flagging you when changes occur that could threaten your NIST compliance
• Updating itself when NIST changes
• Conducting automated, unlimited self-audits and organizing your documents in a “single source of truth” repository for easy retrieval at audit time

No more hunting for documentation; no more searching emails or toggling screens: ZenGRC’s centralized, at-a-glance dashboards and simplified self-assessments can make aligning to NIST a worry-free, Zen-like experience.

Then, you and your personnel will be freer to focus on the task at hand: keeping your data, systems, and networks secure and operational, and your clients and customers happy.

Contact us now for your free ZenGRC consultation.