NIST compliance is compliance with The National Institute of Standards and Technology is a non-regulatory government agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry. As part of this effort, NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST also assists those agencies in protecting their information and information systems through cost-effective programs.
Specifically, NIST develops Federal Information Processing Standards (FIPS) in congruence with FISMA. The Secretary of Commerce approves FIPS, with which federal agencies must comply – federal agencies may not waive the use of the standards. NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series. The Office of Management and Budget (OMB) policies require that agencies must comply with NIST guidance, unless they are national security programs and systems.
NIST Compliance at a Glance
Generally speaking, NIST guidance provides the set of standards for recommended security controls for information systems at federal agencies. These standards are endorsed by the government, and companies comply with NIST standards because they encompass security best practices controls across a range of industries – an example of a widely adopted NIST standard is the NIST Cybersecurity Framework. NIST standards are based on best practices from several security documents, organizations, and publications, and are designed as a framework for federal agencies and programs requiring stringent security measures.
In many cases, complying with NIST guidelines and recommendations will help federal agencies ensure compliance with other regulations, such as HIPAA, FISMA, or SOX. NIST guidelines are often developed to help agencies meet specific regulatory compliance requirements. For example, NIST has outlined nine steps toward FISMA compliance:
- Categorize the data and information you need to protect
- Develop a baseline for the minimum controls required to protect that information
- Conduct risk assessments to refine your baseline controls>
- Document your baseline controls in a written security plan
- >Roll out security controls to your information systems
- Once implemented, monitor performance to measure the efficacy of security controls
- Determine agency-level risk based on your assessment of security controls
- Authorize the information system for processing
- Continuously monitor your security controls
NIST Compliance Benefits
NIST compliance helps secure your organization’s infrastructure and provides a framework for meeting regulations like HIPAA and FISMA. However, it’s not a guarantee of complete data security. That’s why NIST guidelines start with inventorying cyber assets using a value-based approach, so you can identify your most sensitive data and prioritize protection.
NIST SP 800-Series Compliance
Many security solutions and services offer continuous, automated monitoring of the NIST 800-seies to help government agencies through the process of identifying and prioritizing their cyber assets, identifying risk thresholds, determining optimal monitoring frequency, and reporting to authorized officials. Some of the most common NIST SP 800-series guidelines that agencies seek help in complying with include NIST SP 800-53, which provides guidelines on security controls that are required for federal information systems, NIST SP 800-37, which helps promote nearly real-time risk management through continuous monitoring of the controls defined in NIST 8000-53, and NIST 800-137, which provides additional guidance relating to enterprise-wide reporting and monitoring using automation.
Draft Special Publication 800-171
In May 2015, NIST released a draft document, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” Draft Special Publication 800-171. The new document provides guidance for organizations looking to protect sensitive unclassified federal information that is housed in nonfederal information systems and environments, including non-federal information systems that lie outside existing laws such as FISMA and any components of non-federal systems that process, store, or transmit controlled unclassified information (CUI). The document helps to clarify the role of third parties in data breach incidents and provides guidance on the types of data to protect and the kinds of protections to apply. This document especially is helpful for private sector firms.
