< Back to Blog
4 NIST Standards Your Organization Should Align With
Standards & Regulations

4 NIST Standards Your Organization Should Align With

By Dov Goldman May 27, 20204 min read

The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, establishes best practices that are considered some of the best standards throughout the world. Some of their standards focus specifically on information security and privacy and are particularly important when assessing cyber posture.

Get the best third-party security content sent right to your inbox

Thanks for subscribing!

NIST’s robust InfoSec and privacy standards are valuable because they are well thought-out, extremely practical and create a common language for discussing security and privacy. For these reasons, aligning with NIST can be highly advantageous for organizations. Best of all? Unlike other control frameworks such as ISO, NIST’s standards are available for free.

What are some of the NIST standards that your organization should consider aligning with? Here are four to consider. 

NIST 800-53

NIST’s comprehensive 800-53 is the Security and Privacy Controls for Federal Information Systems and Organizations, and it includes 800 controls. These security guidelines cover 18 areas including awareness and training, business continuity, incident response and access control. 

The goal of these controls is to make federal information systems more resilient while promoting their integrity, confidentiality and security. Even though this was created for the US federal government, NIST 800-53 Rev 4 has become the “gold standard” for information security in many industries.


NIST’s Cybersecurity Framework (CSF) is considered a trusted resource for bettering security operations and governance for public and private organizations. CSF is derived from 800-53 and is framed in business terms, which can often make it easier to digest. 

CSF is organized into five essential functions called the Framework Core. They include:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

These functions are made up of 21 categories and more than 100 subcategories (effectively the “controls” of CSF), which refer to more detailed and technical controls in frameworks such as 800-53, ISO, ISA and more. CSF also delineates tiers of maturity in an organization’s understanding of cybersecurity risk, capacity to limit that risk, recover from events and perhaps most important, to learn from them. and what processes are in place to mitigate that risk.

NIST 800-171

To understand NIST’s Special Publication 800-171, it’s important to explain what is Controlled Unclassified Information. CUI is defined as information that is sensitive and relevant to US interests, but not regulated by the Federal government. Each Federal agency has a registry that defines its CUI; for example, financial CUI could include budgets, mergers and electronic funds transfers. 

NIST’s 800-171 was developed after the 2003 creation of the Federal Information Security Management Act (FISMA), and was intended to improve cybersecurity. The idea was to ensure that unclassified information would be protected, which would ultimately help the federal government securely carry out its business operations in non-classified contexts. 

800-171 standards must be met by any business that processes CUI for federal or state agencies such as NASA or the Department of Defense. It involves implementing and verifying compliance and creating security protocols for 14 areas, including access control, identification and authentication and risk assessment. 

NIST Privacy Framework 

The new NIST Privacy Framework aims to address the numerous and often confusing data privacy regulations with which organizations must comply, including GDPR, CCPA and the New York Shield Act. On a more fundamental level, it is designed as a foundation for efforts to introduce privacy as a basic element in the culture of a business.

The Privacy Framework provides the building blocks for privacy compliance by establishing overall best practices for privacy in business-friendly language. In doing so, it also outlines a process that will ultimately lead to what is known as “privacy by design,” meaning that privacy will be considered throughout system engineering and maintenance. 

Most significantly, the NIST Privacy Framework succeeds in introducing an approach to privacy that can ultimately streamline organizations’ compliance. 

Aligning with NIST

Panorays can help your organization make sure your third parties are aligned with one or more of NIST’s robust standards. Our automated questionnaire can be set to check for NIST, and our comprehensive scan of third parties’ attack surfaces can verify many of the NIST controls. 

Learn more about how Panorays can help you and your third parties align with NIST.

Author Thumbnail
Dov Goldman

Dov Goldman is Director of Risk & Compliance at Panorays. He’s a serial entrepreneur who’s been involved with third-party programs of all sizes, and is the go-to person for explaining the difference between inherent and residual risk.

You may also like...
Aug 12, 2021 The Impact of EBA Guidelines on Third-Party Risk Management Dov Goldman
Securing Your Suppliers: Complying With Regulations
Oct 22, 2020 Securing Your Suppliers: Complying With Regulations Dov Goldman
7 Facts You Should Know About NYDFS
Sep 07, 2020 7 Facts You Should Know About NYDFS Dov Goldman
Get Started Free
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe