The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, establishes best practices that are considered some of the best standards throughout the world. Some of their standards focus specifically on information security and privacy and are particularly important when assessing cyber posture.
NIST’s robust InfoSec and privacy standards are valuable because they are well thought-out, extremely practical and create a common language for discussing security and privacy. For these reasons, aligning with NIST can be highly advantageous for organizations. Best of all? Unlike other control frameworks such as ISO, NIST’s standards are available for free.
What are some of the NIST standards that your organization should consider aligning with? Here are four to consider.
NIST 800-53
NIST’s comprehensive 800-53 is the Security and Privacy Controls for Federal Information Systems and Organizations, and it includes 800 controls. These security guidelines cover 18 areas including awareness and training, business continuity, incident response and access control.
The goal of these controls is to make federal information systems more resilient while promoting their integrity, confidentiality and security. Even though this was created for the US federal government, NIST 800-53 Rev 4 has become the “gold standard” for information security in many industries.
NIST CSF
NIST’s Cybersecurity Framework (CSF) is considered a trusted resource for bettering security operations and governance for public and private organizations. CSF is derived from 800-53 and is framed in business terms, which can often make it easier to digest.
CSF is organized into five essential functions called the Framework Core. They include:
- Identify
- Protect
- Detect
- Respond
- Recover
These functions are made up of 21 categories and more than 100 subcategories (effectively the “controls” of CSF), which refer to more detailed and technical controls in frameworks such as 800-53, ISO, ISA and more. CSF also delineates tiers of maturity in an organization’s understanding of cybersecurity risk, capacity to limit that risk, recover from events and perhaps most important, to learn from them. and what processes are in place to mitigate that risk.
NIST 800-171
To understand NIST’s Special Publication 800-171, it’s important to explain what is Controlled Unclassified Information. CUI is defined as information that is sensitive and relevant to US interests, but not regulated by the Federal government. Each Federal agency has a registry that defines its CUI; for example, financial CUI could include budgets, mergers and electronic funds transfers.
NIST’s 800-171 was developed after the 2003 creation of the Federal Information Security Management Act (FISMA), and was intended to improve cybersecurity. The idea was to ensure that unclassified information would be protected, which would ultimately help the federal government securely carry out its business operations in non-classified contexts.
800-171 standards must be met by any business that processes CUI for federal or state agencies such as NASA or the Department of Defense. It involves implementing and verifying compliance and creating security protocols for 14 areas, including access control, identification and authentication and risk assessment.
NIST Privacy Framework
The new NIST Privacy Framework aims to address the numerous and often confusing data privacy regulations with which organizations must comply, including GDPR, CCPA and the New York Shield Act. On a more fundamental level, it is designed as a foundation for efforts to introduce privacy as a basic element in the culture of a business.
The Privacy Framework provides the building blocks for privacy compliance by establishing overall best practices for privacy in business-friendly language. In doing so, it also outlines a process that will ultimately lead to what is known as “privacy by design,” meaning that privacy will be considered throughout system engineering and maintenance.
Most significantly, the NIST Privacy Framework succeeds in introducing an approach to privacy that can ultimately streamline organizations’ compliance.
Aligning With NIST
Panorays can help your organization make sure your third parties are aligned with one or more of NIST’s robust standards. Our automated questionnaire can be set to check for NIST, and our comprehensive scan of third parties’ attack surfaces can verify many of the NIST controls.
Learn more about how Panorays can help you and your third parties align with NIST.