What is NIST Compliance?
The National Institute of Standards and Technology is a non-regulatory government agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry. As part of this effort, NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST also assists those agencies in protecting their information and information systems through cost-effective programs.
Specifically, NIST develops Federal Information Processing Standards (FIPS) in congruence with FISMA. The Secretary of Commerce approves FIPS, with which federal agencies must comply – federal agencies may not waive the use of the standards. NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series. The Office of Management and Budget (OMB) policies require that agencies must comply with NIST guidance, unless they are national security programs and systems.
NIST Compliance at a Glance
Generally speaking, NIST guidance provides the set of standards for recommended security controls for information systems at federal agencies. These standards are endorsed by the government, and companies comply with NIST standards because they encompass security best practices controls across a range of industries – an example of a widely adopted NIST standard is the NIST Cybersecurity Framework. NIST standards are based on best practices from several security documents, organizations, and publications, and are designed as a framework for federal agencies and programs requiring stringent security measures.
In many cases, complying with NIST guidelines and recommendations will help federal agencies ensure compliance with other regulations, such as HIPAA, FISMA, or SOX. NIST guidelines are often developed to help agencies meet specific regulatory compliance requirements. For example, NIST has outlined nine steps toward FISMA compliance:
- Categorize the data and information you need to protect
- Develop a baseline for the minimum controls required to protect that information
- Conduct risk assessments to refine your baseline controls>
- Document your baseline controls in a written security plan
- >Roll out security controls to your information systems
- Once implemented, monitor performance to measure the efficacy of security controls
- Determine agency-level risk based on your assessment of security controls
- Authorize the information system for processing
- Continuously monitor your security controls
NIST Compliance Benefits
The initial benefit of NIST compliance is that it helps to ensure an organization’s infrastructure is secure. NIST also lays the foundational protocol for companies to follow when achieving compliance with specific regulations such as HIPAA or FISMA. It’s important to keep in mind, however, that complying with NIST is not a complete assurance that your data is secure. That’s why NIST guidelines begin by telling companies to inventory their cyber assets using a value-based approach, in order to find their most sensitive data and prioritize protection efforts around it.
NIST SP 800-Series Compliance
Many security solutions and services offer continuous, automated monitoring of the NIST 800-seies to help government agencies through the process of identifying and prioritizing their cyber assets, identifying risk thresholds, determining optimal monitoring frequency, and reporting to authorized officials. Some of the most common NIST SP 800-series guidelines that agencies seek help in complying with include NIST SP 800-53, which provides guidelines on security controls that are required for federal information systems, NIST SP 800-37, which helps promote nearly real-time risk management through continuous monitoring of the controls defined in NIST 8000-53, and NIST 800-137, which provides additional guidance relating to enterprise-wide reporting and monitoring using automation.
The Latest from NIST
In May 2015, NIST released a draft document, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” Draft Special Publication 800-171. The new document provides guidance for organizations looking to protect sensitive unclassified federal information that is housed in nonfederal information systems and environments, including non-federal information systems that lie outside existing laws such as FISMA and any components of non-federal systems that process, store, or transmit controlled unclassified information (CUI). The document helps to clarify the role of third parties in data breach incidents and provides guidance on the types of data to protect and the kinds of protections to apply. This document especially is helpful for private sector firms.