Complete Guide to NIST: Cybersecurity Framework, 800-53, 800-171

Published/Updated September 30, 2020

Intro

Cybersecurity and privacy are urgent concerns for every organization. Keeping sensitive data private, intellectual property proprietary, and critical business systems up and running can seem nearly impossible in the face of relentless and ever-sophisticated attacks and breach attempts. 

Fortunately for U.S. companies, NIST can help. The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF)—and, now, a new privacy framework—are important risk management tools. Although designed for the protection of U.S. critical infrastructure, NIST CSF is useful for any organization. 

NIST CSF compliance is purely voluntary. But when you consider the costs to your enterprise that a cybersecurity breach could incur, not to be NIST-compliant is risky business, indeed. 

NIST has done the hardest part for you: provided a common set of fundamental program functions with unique components that can guide your enterprise to greater security. NIST CSF is written in clear, concise language and is designed so that even those just beginning their cybersecurity program can use it. Is it any wonder that NIST CSF is one of the most widely employed cybersecurity frameworks in the U.S.?

That’s not to say that NIST CSF is easy to implement. It isn’t. 

With this guide, however, you can tackle the job with confidence. We’ve compiled a trove of information regarding pretty much every aspect of NIST CSF, and included some information about the new privacy framework, as well. 

Read on for answers to the most commonly asked questions about NIST, and perhaps even some you hadn’t thought of. For more in-depth knowledge, click on the links sprinkled throughout. For help preparing for a NIST compliance audit, check out our handy NIST audit checklist. And if you want a digital solution to guide you through the NIST CSF compliance process, contact us.

What Is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology developed its cybersecurity framework, The Framework for Improving Critical Infrastructure Cybersecurity, to strengthen the security of United States critical infrastructure. Its goal was to establish a common set of standards, goals, and language for better information security. 

Released in 2014 under an executive order from President Barack Obama and updated in 2018, NIST CSF has become an invaluable risk management resource for private sector enterprises and public agencies. A 2017 executive order requires compliance with NIST CSF for federal government agencies and for entities in their supply chain. 

NIST CSF comprises three components: framework core components, implementation tiers, and profiles. The core components consist of five “functions”: 

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Each of these functions includes lower-level activities for mitigating cyber risk. These are further divided into categories and subcategories, which include descriptions of leading information security practices.

Special publications take a deeper dive

In addition to the CSF, NIST has produced more than 200 special publications covering many aspects of cybersecurity risk management: identity access control, managing protective technology, responding to a cybersecurity event or incident, and much more. 

Among the most widely used of the NIST publications is NIST 800-53, a set of controls intended to help organizations meet the requirements of the Federal Information Security Modernization Act, which is mandatory for federal agencies and organizations wanting to do business with them. Considered the cybersecurity “bible” among federal agencies, NIST 800-53 also governs compliance with the Federal Information Processing Standard Publication 200 (FIPS 200), which is mandatory for government-affiliated entities. 

NIST Special Publication 800-30, a Guide to Conducting Risk Assessments, helps with cyber risk management, including controls and control baselines. 

NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, helps systems and organizations that are not a part of the federal government protect their sensitive information. Compliance is required for entities doing business with the U.S. Department of Defense (DoD). 

NIST published an update to the CSF in 2018. New to version 1.1 is guidance on self-assessments, supply chain risk management, interacting with supply-chain stakeholders, and developing a process for disclosing vulnerabilities.

Whom Does the NIST Cybersecurity Framework Affect?

NIST CSF is useful for all private enterprises wanting to improve their cybersecurity. But it was initially developed in the interest of protecting the country’s “critical infrastructure,” defined as the assets, systems, and functions deemed vital to the United States. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience defines 16 critical infrastructure sectors: 

  • Chemical
  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Dams
  • Defense industrial base
  • Emergency services
  • Energy (including utilities)
  • Financial services
  • Food and agriculture
  • Government facilities
  • Health care companies and public health
  • Information technology
  • Nuclear reactors, materials, and waste
  • Transportation systems
  • Water and wastewater systems

Today, the framework is promoted as a valuable tool for businesses assessing risk and tightening security. 

However, NIST CSF is also gaining popularity among nongovernment public entities including universities and research organizations, as is the more-detailed NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), compliance with which is required for DoD contractors, is based in part on NIST 800-171.

What Are the NIST Framework Core Components?

NIST defines the CSF’s “core” as a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors: 

“The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.” 

The CSF comprises these components:

  • Implementation tiers: the degree to which your organization has implemented the NIST controls:
    • Tier 1—Partial
    • Tier 2—Risk-informed
    • Tier 3—Repeatable
    • Tier 4—Adaptive
  • Framework core:
    • Functions: identify, protect, detect, respond, recover
    • Categories
    • Subcategories
    • Informative references
  • Framework profiles: Your organization’s unique alignment of its security requirements and objectives, risk appetite and resources, measured against the desired outcomes cited in the framework core

What Are the Five Functions of the NIST Cybersecurity Framework (NIST CSF)?

The NIST Cybersecurity Framework (NIST CSF), Framework for Improving Critical Infrastructure Cybersecurity, consists of three main components: implementation tiers, framework core, and framework profile. 

The framework core at the heart of the document lists five cybersecurity functions. Each function comprises categories, 23 in all, which in turn include 108 subcategories listing requirements and controls to meet as well as “informative references” providing a list of additional frameworks and other resources to consult for more information.

Keep in mind, however, that the NIST CSF is not intended as a “one-size-fits-all” framework. Each organization may decide which functions, categories, and subcategories it will comply with. 

The functions, with their categories and subcategories, are: 

1. Identify—Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

  • Asset management (ID.AM):
    • Your enterprise has identified the data, personnel, devices, systems, and facilities essential to its critical business services,
    • Your enterprise has prioritized those assets according to their importance and to the organization’s risk strategy, and
    • Your enterprise manages its assets according to their priority. This means that your organization has achieved these goals:
      • Taken inventory of all physical devices and systems;
      • Taken inventory of all software platforms and applications;
      • Mapped its communication and data flows;
      • Catalogued its external information systems;
      • Prioritized its resources (hardware, devices, data, time, personnel, and software) according to their classification, level of importance (criticality), and business value; and
      • Established cybersecurity roles and responsibilities enterprise-wide and for third-party stakeholders (suppliers, customers, partners).
  • Business environment (ID.BE): 
    • Your teams understand the organization’s mission, objectives, stakeholders and activities as prioritized, and
    • Your teams use this information to inform cybersecurity roles, responsibilities, and risk management decisions. This means that they have
      • Identified and communicated your organization’s role in the supply chain;
      • Identified and communicated your organization’s place in critical infrastructure and its industry sector;
      • Established and communicated its priorities for mission, business objectives and activities;
      • Mapped its dependencies and critical functions for the delivery of critical services; and
      • Established resilience requirements to support the delivery of critical services during normal operations as well as during an attack or under duress and during recovery.
  • Governance (ID.GV): Cybersecurity risk managers and the board know, understand, and use your enterprise security policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements.
    • You’ve established and communicated the cybersecurity policy.
    • Your organization has coordinated and aligned cybersecurity roles and responsibilities with internal roles and external partners.
    • Managers understand and are overseeing compliance with legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations.
    • Your governance and risk management processes address cybersecurity risks.
  • Risk assessment (ID.RA): Your organization understands the cybersecurity risk to its operations (including mission, functions, image or reputation), assets, and people. 
    • You’ve identified and documented the vulnerabilities to your assets;
    • You’ve arranged to get cyber threat intelligence from information sharing forums and sources;
    • You’ve identified and documented the threat environment, which is the threats your enterprise faces from internal and external sources;
    • You’ve identified potential business impacts of risks and threats, as well as the likelihood of their occurring;
    • You’ve used threats, vulnerabilities, likelihoods, and impacts to determine overall risk; and
    • You’ve identified and prioritized risk responses.
  • Risk management strategy (ID.RM): Your organization has established its priorities, constraints, risk tolerances, and assumptions, and uses them to support operational risk decisions.
    • You’ve established and manage risk management processes, with stakeholders’ agreement.
    • You’ve determined and clearly expressed your organization’s risk tolerance.
    • In determining risk tolerance, you’ve considered your enterprise’s role in critical infrastructure, and have considered risk analyses of your sector.
  • Supply chain risk management (ID.SC): Your enterprise has set priorities, constraints, risk tolerances, and assumptions, and has defined processes to identify, assess, and manage supply chain risks.
    • You’ve identified, established, and assessed supply chain risk management processes and manage these with stakeholder agreement.
    • You’ve identified, prioritized, and assessed the suppliers and third-party partners of your information systems, components, and services using a cyber-supply-chain risk assessment process.
    • You use contracts with suppliers and third-party partners to help meet the objectives of your cybersecurity program and cyber-supply-chain risk management plan.
    • You routinely assess your suppliers and third-party partners using audits, test results, or other evaluations to confirm that they are meeting their contractual obligations.
    • You plan and test response and recovery procedures with suppliers and third-party providers.

2. Protect—Ensure that critical infrastructure services remain available.

  • Identity management, authentication, and access control (PR.AC): Only authorized users, processes, and devices can gain access to your physical and logical assets and associated facilities. How you manage this access depends on the risks associated with unauthorized access. 
    • Issue, manage, verify, revoke and audit identities and credentials for authorized devices, users and processes;
    • Manage and protect physical access to assets;
    • Manage remote access;
    • Manage access permissions and authorizations using the principles of least privilege needed to do one’s job, and separation of duties;
    • Protect network integrity using such means as network segregation and network segmentation;
    • Proof and bind identities to credentials, and have them asserted in interactions; and
    • Authenticate users, devices, and other assets commensurate with the risk of each transaction.
  • Awareness and training (PR.AT): Your organization’s personnel and partners receive cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with policies, procedures, and agreements.
    • All users are informed and trained.
    • Privileged users understand their roles and responsibilities.
    • Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
    • Senior executives understand their roles and responsibilities.
    • Physical and cybersecurity personnel understand their roles and responsibilities.
  • Data security (PR.DS): Your organization manages data in concert with its data risk strategy to protect the confidentiality, integrity, and availability of information.
    • Your data at rest is protected.
    • Your data is protected while in transit.
    • You manage your assets as they are being transferred, removed, and disposed of.
    • You maintain adequate storage capacity to ensure that your data is always available.
    • You have protection against data leaks.
    • You verify software, firmware, and information integrity.
    • Your development and testing environment(s) are separate from the production environment.
  • Information protection processes and procedures: (PR.IP): Your enterprise uses security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities, processes, and procedures to manage the protection of information systems and assets.
    • You have a baseline configuration of information technology/industrial control systems incorporating security principles (the “concept of least functionality”).
    • You have a systems development lifecycle for managing your systems.
    • You have processes for configuration change control.
    • You conduct, maintain, and test information backups.
    • Your physical operating environment for organizational assets meets policies and regulations.
    • You destroy data according to your policies.
    • You have improved your data protection processes.
    • You share the effectiveness of protection technologies.
    • You have response and recovery plans, and you manage them.
    • You regularly test your response and recovery plans.
    • Your human resources practices include cybersecurity measures such as deprovisioning and personnel screening.
    • You have a vulnerability management plan.
  • Maintenance (PR.MA): Your organization maintains and repairs its industrial control and information system components according to policies and procedures.
    • You maintain and repair organizational assets, and log those activities, with approved and controlled tools.
    • Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
  • Protective technology (PR.PT): You manage technical security solutions to ensure your systems and assets are secure and resilient, consistent with organizational policies, procedures, and agreements.
    • You document and review your audit/log records according to policy.
    • You protect removable media and restrict its use according to policy.
    • You configure systems to provide each user with only what they need (“principle of least functionality”).
    • Your communications and control networks are protected.
    • You use mechanisms such as fail-safe, load balancing, and hot swap for greater resilience.

3. Detect—Develop and implement activities to identify cybersecurity events. Categories and subcategories are

  • Anomalies and events (DE.AE): Your organization knows when anomalous activity occurs on your systems.
    •  You maintain and manage a baseline of network operations and expected data flows for users and systems.
    • Your organization analyzes detected events to understand attack targets and methods.
    • Your systems collect and correlate event data from multiple sources and sensors.
    • You know the impacts of cybersecurity events.
    • You’ve established incident alert thresholds.
  • Security continuous monitoring (DE.CM): Your organization continuously monitors its information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures. Monitoring includes these areas:
    • The enterprise network
    • The physical environment
    • External service providers’ activity
    • Employee activity

Monitoring should check for anomalies including

    • Malicious code
    • Unauthorized mobile code
    • Unauthorized users, connections, devices, and software
    • Vulnerabilities
  • Detection process (DE.DP): Your organization maintains and tests its detection processes and procedures to ensure that it is aware of anomalous events.
    • You’ve defined roles and responsibilities for detection.
    •  Your detection activities comply with requirements.
    • Your organization has tested its detection processes.
    • Event detection information gets communicated to those who need to know.
    • You continually improve your detection processes.

4. Respond—Develop and implement responses to detected cybersecurity events.

  • Response planning (RS.RP): Your enterprise has developed processes and procedures for responding to cybersecurity incidents.
    • You follow your response plan during or after an incident.
  • Communications (RS.CO): You coordinate response activities with internal and external stakeholders, including law enforcement agencies.
    • Employees know their roles and the order of operations when a response is needed.
    • Incidents are reported according to your criteria.
    • Your teams share information consistent with your response plans.
    • You coordinate with stakeholders according to your response plans.
    • You volunteer information on security incidents with external stakeholders, for broader awareness.
  • Analysis: (RS.AN): Your organization analyzes its response to cybersecurity incidents to improve and support recovery activities
    • You investigate detection system notifications.
    • Your teams understand each incident’s impacts.
    • You perform forensic analyses.
    • You categorize incidents consistent with your response plans.
    • You have processes for receiving, analyzing, and responding to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins or security researchers).
  • Mitigation (RS.MI): Your organization works to prevent the expansion of events, mitigate events’ effects and resolve incidents.
    • Incidents are contained.
    • Incidents are mitigated.
    • You mitigate newly identified vulnerabilities or document them as accepted risks.
  • Improvements (RS.IM): You work to improve your organization’s responses to security threats, events, and incidents by incorporating lessons learned from current and previous detection/response activities.
    • Your response plans incorporate lessons learned.
    • You update response strategies as needed.

5. RecoverDevelop and implement the appropriate actions to take upon detecting a cybersecurity event.

  • Recovery planning (RC.RP): You maintain recovery processes and procedures to restore systems or assets affected by cybersecurity incidents.
    • You follow your recovery plan during or after each cybersecurity incident.
  • Improvements (RC.IM): You improve your recovery planning and processes by incorporating lessons learned into future activities.
    • Your recovery plans incorporate lessons learned.
    • You continually update your recovery strategies.
  • Communications (RC.CO): Your organization coordinates its restoration activities with internal and external parties including coordinating centers, internet service providers, owners of attacking systems, victims, other computer security incident response teams, and vendors.
    • Your organization manages public relations post-incident.
    • Your enterprise repairs its reputation after an incident.
    • You notify internal and external stakeholders as well as executive and management teams about your recovery activities.

What is NIST Compliance?

NIST compliance means something different with each NIST publication. 

NIST CSF 

Compliance with NIST CSF can ease the way to compliance with other security frameworks including the Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act (SOX). NIST CSF compliance, therefore, can mean saving time and expense down the road.

Many organizations choose to use NIST CSF, an information security framework, to assure themselves as well as their clients that their systems, network, and data are as safe as can be from a cybersecurity intrusion.

NIST 800-53

Implementing the security controls needed to comply with NIST 800-53 brings entities in line with the Federal Information Security Modernization Act (FISMA) and with the Federal Information Processing Standard Publication 200 (FIPS 200),. The NIST 800-53 security rules cover 18 areas, including access control, incident response, business continuity and disaster recovery.

For entities that are not federal agencies and are not affiliated with the federal government, compliance with any NIST framework or publication is voluntary. 

NIST also can be used as a framework for conducting risk assessments. Of course, NIST has a special publication for that: NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments.

NIST 800-171

Organizations doing business with the U.S. Department of Defense (DoD) must comply with another set of NIST requirements: NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Non-Federal Information Systems.

NIST SP 800-171 is for nonfederal information systems and organizations that are DoD contractors and process, store, or transmit Controlled Unclassified Information (CUI). 

These entities must meet the minimum security standards established by the Defense Federal Acquisition Regulation Supplement (DFARS), or lose their contracts. DFARS is based on NIST SP 800-171. So, compliance with NIST 800-171 is a must for these entities.

Steps to Becoming NIST 800-53 Compliant

Government agencies and their third-party contractors must comply with the Federal Information Security Management Act of 2002 (FISMA)–now the Federal Information Security Modernization Act–which NIST 800-53, Security and Privacy Controls for Federal Information Systems, helps them to do.

Toward that end, NIST has published a list of nine steps toward achieving compliance with FISMA:

  1. Categorize data and information you need to protect.
  2. Develop a baseline for the minimum controls required to protect that information.
  3. Conduct risk assessments to refine your baseline controls.
  4. Document your baseline controls in a written security plan.
  5. Roll out security controls to your information systems.
  6. Once you’ve implemented the controls, monitor their performance. 
  7. Determine your risk based on your assessment of security controls.
  8. Authorize your information system for processing.
  9. Conduct continuous monitoring of your security controls.

Non-government entities that contract with the U.S. Department of Defense may be required to comply not only with FISMA, but also with NIST 800-171, Protecting Controlled Unclassified Information in Non-Federal Information Systems.

NIST compliance, in other words, can be pretty confusing. Although NIST CSF is written in clear, easy-to-understand language, it’s only one of many NIST publications. And NIST CSF isn’t auditable, but was designed only for guidance.

To verify that you’re NIST-compliant (with either NIST 800-53, NIST 800-171, or both), you will need a NIST audit. Our NIST audit guide walks you through the process step-by-step so that you’ll be prepared when the auditor walks through your door. 

But in general, you’ll need to complete these steps to ensure your entity’s compliance with NIST:

Step 1: Create a NIST Compliance Risk Management Assessment.

NIST 800-53 outlines precise controls and provides supplemental guidance for creating a proper risk assessment. NIST 800-171, however, provides but a few sentences describing the risk assessment process. So, even if you’re striving to comply with NIST 800-171, you’ll need to refer to NIST 800-53.

Step 2: Design and implement NIST-compliant access controls.

The contracting agency may prescribe controls; your organizational risk assessment should support them. NIST 800-53 and NIST 800-171 provide guidance on how to design, implement and operate needed controls.

Step 3: Monitor your controls.

Step 4: Prepare for your third-party audit/assessment. 

Both NIST 800-53 and 800-171 require audit programs. Governance, risk and compliance software can help with this step. ZenGRC, for instance, conducts unlimited self-audits with just a few clicks and stores all your audit documentation in one place. Consider it the “Single Source of Truth” repository, for easy access at audit time.

Step 5: Create a plan of action and milestones to measure your compliance success.

ZenGRC can help with this, and with every aspect of NIST compliance management: assessing your risk and NIST compliance gaps, telling you what controls you need to implement, walking you step-by-step through the process all the way to the finish, and managing and organizing your audit documentation. 

Doesn’t that sound much easier than juggling spreadsheets?

Step 6: Submit for your Authorization to Operate (ATO). 

To attain your NIST ATO, you’ll need to complete a NIST audit. Our NIST audit guide leads you step-by-step through the process of preparing for this audit.

Step 7: Repeat your risk assessment.

Monitoring your risk factors will help you determine how often you should reassess your cybersecurity risk.

Should You Implement the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework, officially titled Framework for Improving Critical Infrastructure Cybersecurity, was designed to aid critical infrastructure organizations in managing cybersecurity risk. But the benefits of NIST are available to any enterprise concerned about cybersecurity risk management.

The U.S. Secretary of Commerce suggests that every organization should use the NIST CSF to identify and address its cybersecurity vulnerabilities.

“The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEOs,” Secretary of Commerce Wilbur Ross has stated on the NIST website. 

In addition to the framework, NIST has developed more than 100 publications to help with cybersecurity. 

Most widely used are NIST CSF, NIST SP 800-53 and NIST SP 800-171.

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations provides the controls needed to implement the NIST CSF. 

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is required for every organization contracting with the U.S. Department of Defense (DoD). 

These publications can help your enterprise to determine risk and plan and achieve important protection measures at and beyond the minimum controls needed to safeguard access to systems and data.

Another NIST publication, NIST.IR.8170, Approaches for Federal Agencies to Use the Cyber Security Framework, lists eight approaches for using the NIST CSF, stating that federal agencies and the private sector may all benefit. These approaches also help with FISMA compliance, according to the document, They are: 

  1. Integrate enterprise and cybersecurity risk management by communicating with universally understood risk terms.
  2. Manage cybersecurity requirements using a construct that enables integration and prioritization of requirements.
  3. Integrate and align cybersecurity and acquisition processes by relaying cybersecurity requirements and priorities in common and concise language.
  4. Evaluate organizational cybersecurity using a standardized and straightforward measurement scale and set of self-assessment criteria.
  5. Manage the cybersecurity program by determining which cybersecurity outcomes necessitate common controls and apportioning work and responsibility for those cybersecurity outcomes.
  6. Maintain a comprehensive understanding of cybersecurity risk using a standard organizing structure.
  7. Report cybersecurity risks using a universal and understandable structure.
  8. Inform the tailoring process using a comprehensive reconciliation of cybersecurity requirements. 

NIST 800-53 lists six steps in the NIST Risk Management Framework for managing risk:

  1. Categorize the information system.
  2. Select the applicable security control baseline.
  3. Implement the security controls and document the design, development, and implementation details for the controls.
  4. Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  5. Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable.
  6. Monitor the security and controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance with legislation, executive orders, directives, policies, regulations, and standards.

How to Prepare for a NIST Audit: Checklist

Federal agencies and entities doing business with the federal government must verify that they are in compliance with the appropriate NIST security controls. 

For instance, all organizations contracting with the U.S. Department of Defense are required to comply with the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), which is based in part on NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 

Compliance with the NIST Cybersecurity Framework (NIST CSF) is completely voluntary for nonfederal information systems. A thorough compendium of information security rules and guidelines, NIST CSF is a flexible risk management framework adaptable and usable by any enterprise wishing to create or improve its security program. 

To demonstrate compliance, you’ll need to pass a NIST security audit, which covers everything from risk assessment to incident response and recovery. A number of resources are available to assist you with your audit preparation, including our own NIST audit guide, Preparing for a NIST Audit: A Step-by-Step Guide. This guide contains a handy NIST audit checklist using NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, which provides NIST audit controls for implementing the CSF. 

NIST 800-53 governs compliance with the Federal Information Processing Standard Publication 200 (FIPS 200), which is mandatory for all government-affiliated entities. 

Looking for a NIST cybersecurity assessment tool to download? Resources are available to help you prepare for your NIST cybersecurity audit: 

 Or, instead of using a hodgepodge of tools and spreadsheets to manage your NIST compliance, use our NIST cybersecurity audit checklist in tandem with ZenGRC, our all-in-one governance, risk, and compliance software-as-a-service. 

ZenGRC tracks and manages your NIST controls and compliance for you—including showing how NIST compliance improves your compliance with other important regulations and requirements such as the Sarbanes-Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS). 

In this day and age, data security and privacy ought to be high on every organization’s list, including yours. Passing a NIST audit assures your enterprise, customers, and clients that your systems, networks, and data—and their data, as well—are safe from intrusion.

NIST, FedRAMP, and FISMA: How Are They Related?

Think of the NIST, the Federal Risk and Authorization Management Program (FedRAMP), and the Federal Information Security Modernization Act (FISMA) as three fingers on the same hand.

NIST is the thumb needed to make the others useful. 

Federal agencies must comply with the FISMA, which NIST 800-53 helps to achieve. Compliance with NIST CSF may also entail compliance with NIST SP 800-53, the set of illustrative security controls referenced in the NIST CSF. 

Who must comply with FISMA:

  • Federal agencies
  • State agencies that deal with federal data
  • Organizations that administer federal funds
  • Private-sector companies that receive federal grant money, support federal programs, or contract with federal agencies must comply with FISMA. 

Cloud service providers doing business with the federal government must meet FedRAMP requirements. And FedRAMP and FISMA are both based on NIST 800-53—as are a number of other information security frameworks including the Health Insurance Portability and Accountability Act (HIPAA). 

To help you see how NIST, FedRAMP, and FISMA intersect, let’s take a brief look at each program.

NIST

NIST, an agency belonging to the U.S. Department of Commerce, provides guidelines on cybersecurity of information systems. The NIST CSF was designed primarily to tighten the security of U.S. critical infrastructures such as the energy and financial sectors, but the U.S. government now uses it for all federal information systems. 

For nonfederal agencies and providers, NIST compliance is voluntary, but an increasing number are using it to ensure their systems are secure as can be, and to satisfy their clients and customers’ concerns about cybersecurity. 

FISMA

FISMA requires government agencies and contracting organizations to use a risk-based approach when implementing their information security controls. 

The primary framework for FISMA compliance is NIST 800-53; compliant organizations receive an Authority to Operate (ATO) from the agency with which they are under contract. Organizations doing business with more than one agency must obtain an ATO from each, which may perform the security assessment or have a third-party assessor (3PAO) do so. 

FedRAMP

FedRAMP aims to support federal agencies’ use of cloud computing and services and ensure the security of cloud products and services. 

Because FedRAMP’s controls are based on NIST 800-53, cloud service providers wishing to contract with the federal government use NIST to meet the qualifications for an ATO. FedRAMP’s accelerated process allows organizations that obtain an ATO or provisional authorization (P-ATO) from the FedRAMP Joint Authorization Board (JAB) to use that ATO when contracting with all federal agencies. 

FedRAMP and FISMA certifications are demanding and complex. Compliance with NIST can ease the way for both—but NIST 800-53 has 108 controls! Nevertheless, checking off the NIST list can not only pave the way for lucrative government contracts, but also demonstrate to nonfederal customers and clients that your enterprise meets the “gold standard” for security. ZenGRC can ease your way to compliance with NIST and FedRAMP for smooth sailing on the federal-contracts seas.

NIST vs. SOC 2: What's the Difference?

Both the NIST CSF and the American Institute of Certified Public Accountants’ (AICPA) Systems and Organization Controls for Service Organizations 2 (SOC 2) are risk management frameworks governing information security. 

Check out our “Ultimate Guide to SOC 2” for an in-depth look at the SOC 2 framework. 

NIST vs. SOC 2: Whom they’re for

The NIST CSF and NIST special publications 800-53 and 800-171 are designed to improve cybersecurity for providers of U.S. critical infrastructure, such as the energy and financial sectors.

  • NIST CSF provides a flexible framework that any organization can use for creating and maintaining an information security program. NIST 800-53 and NIST 800-171 provide security controls for implementing NIST CSF.
  • NIST 800-53 aids federal agencies and entities doing business with them to comply as required with FISMA. Containing over 900 requirements, NIST 800-53 is the most granular cybersecurity framework available.
  • NIST 800-171 contains information security guidelines for the U.S. Department of Defense (DoD) and their contractors to help them comply with the Defense Federal Acquisition Regulation Supplement (DFARS). All DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must comply with DFARS and, hence, NIST 800-171.
  • SOC 2 is designed specifically for auditors to use when assessing the data security and privacy controls of service providers such as cloud hosting services and payment processors. It’s not to be confused with SOC 1, a financial auditing framework that implements the AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE-18).

NIST vs. SOC 2: How they work

NIST 800-53 contains 108 controls in 20 control families.

NIST CSF has five core principles:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

SOC 2 addresses five trust services categories:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

NIST vs. SOC 2: Who uses them

NIST is written for cybersecurity professionals to use in designing and implementing a cybersecurity program.

SOC is intended for auditors to use to evaluate a service provider’s security and privacy controls.

NIST vs. SOC 2: How they intersect 

Organizations can use NIST 800-53 to implement controls that will enable them to meet SOC 2 requirements.

Using NIST with other frameworks

The NIST CSF‘s core can also help organizations comply with a number of other security and privacy frameworks including the International Organization for Standardization’s ISO 27001, Information security management, and the Health Insurance Portability and Accountability Act (HIPAA). 

NIST compliance is voluntary for most but required for federal government agencies and for organizations doing certain types of business with those agencies.

Compliance with SOC 2 is voluntary but may be required by entities wishing to contract with a service provider.

NIST vs. ISO: What’s the difference? 

The NIST CSF and special publications and the International Organization for Standardization (ISO)’s 27000 series of information security management standards can both help organizations improve their cybersecurity risk management.

But the intended audiences and uses of NIST and ISO differ in key respects.

Here’s the breakdown:

NIST vs. ISO: Purpose

The NIST Cybersecurity Framework is a United States-based framework intended for use with federal information systems. It was developed to help federal agencies and U.S. critical infrastructure organizations secure their systems, networks, and data.

ISO is international. Its 27000 series of international standards were developed to help private companies develop and maintain information security management systems.

NIST vs. ISO: Users

Federal government agencies and organizations doing business with them are the primary users of NIST; the U.S. government requires all federal agencies to comply with FISMA, and NIST CSF can be used to help with that compliance.

Private companies outside the U.S. as well as multinational and international companies are the main users of the ISO 27000 series, especially ISO/IEC 27001 and ISO/IEC 27002.

NIST vs. ISO: Assistive tools

NIST has a set of security controls, NIST SP 800-53, that helps with NIST CSF compliance.

ISO 27002 is a security control framework that helps with ISO 27001 compliance.

So ISO 27002 is the ISO equivalent of NIST 800-53.

Various NIST documents align somewhat with ISO: NIST CSF, NIST 800-30, NIST 800-37, NIST 800-53, NIST 800-53a.

NIST vs. ISO: Technical level

NIST 800-53 provides information security controls in a variety of groups to help agencies and their contracting organizations use best practices in implementing and maintaining information systems. 

ISO 27002 is less technical than NIST 800-53, and is more risk-focused for organizations of every size and type.

NIST vs. ISO: Structure

NIST 800-53 has 20 control families and hundreds of controls.

ISO 27001 has 14 control categories and 114 controls.

NIST vs. ISO: Certification

NIST has no official certification program; entities instead must self-certify.

ISO 27001 certification is available from American Institute of Certified Public Accountants-approved auditors. 

What Are NIST Special Publications?

The National Institute for Standards and Technology publishes standards, guidelines, recommendations, and research on data and information systems security and privacy. 

Intended primarily for federal agencies and their third-party service providers, vendors, and contractors, NIST publications can be a useful resource for any organization establishing or maintaining a cybersecurity system. 

Compliance with NIST 800-53, for example, is essential for organizations striving to meet FISMA requirements. 

NIST provides a complete compendium of all its publications on the nist.gov website. Overall, the NIST technical publication series comprises 

  • Federal Information Processing Standards (FIPS): Security standards
  • NIST Special Publications: Guidelines, recommendations and reference materials
  • NIST Internal or Interagency Reports: Reports of research findings, including background information for FIPS and SPs
  • NIST Information Technology Laboratory (ITL) Bulletins: Monthly overviews of NIST’s security and privacy publications, programs and projects

NIST has hundreds of special publications. They fall into three categories: 

  • SP 800—Computer security
  • SP 1800Cybersecurity practice guides
  • SP 500—Information technology (relevant documents) 

The NIST glossary defines its special publications this way: A type of publication issued by NIST. Specifically, the NIST Special Publication 800 series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. 

NIST 800-series special publications include guidelines for establishing and maintaining information security programs, security controls, risk management guidance, technical information, and more. Here we’ve listed all the current NIST 800-series publications (except annual reports), starting with the most recent.

Final NIST 800 publications 

Draft NIST 800 special publications

Tips and Tools for Managing a NIST Security Plan

Developing a security plan is the starting point for effective cybersecurity and privacy risk management. And, once it’s written, you’ll need to keep it up to date to protect your data and systems from the newest wave of threats, such as malware. 

Whether you’re writing a security plan for your organization or updating the one you have, the NIST CSF, Framework for Improving Critical Infrastructure Cybersecurity, is a valuable resource—whether yours is a public- or private-sector organization, a part of the U.S. critical infrastructure or not. 

NIST CSF is written in accessible language to be as user-friendly as possible, but it doesn’t implement itself. For that, you need controls. 

If writing a security plan sounds complicated, that’s because it is. But whoever said that effective information security was easy? 

Fortunately, a number of tips and tools are available, including NIST evaluation tools, language technology tools, corpus-building tools, and planning tools, to help your organization meet all its security risk management requirements from planning to implementation to continuous monitoring and beyond. 

And if you decide that automating your NIST compliance is the best solution? Tools are available for that, as well, in the form of governance, risk, and compliance software that’s also NIST audit software capable of evaluating your NIST compliance, and identifying and helping you to fill compliance gaps.

Your NIST security plan toolbox

One of the first documents any organization serious about NIST should download and read is NIST Risk Management—Select Step—Tips and Techniques for Systems. This handy NIST guide walks you step-by-step through the process of writing a NIST security plan. And it’s free! 

NIST has also created a list of government-generated planning guides that can help you create, evaluate, and improve your business’s cybersecurity plan: 

Cybersecurity Resources Roadmap—This Department of Homeland Security document aims to help small and medium-sized businesses select the most useful cybersecurity resources based on their needs.

Cyber Insurance—From the Federal Trade Commission (FTC), this site offers tips on choosing a cyber insurance policy.

FCC Cyber Planner—If yours is a small business wanting to create its own customized security plan, the Federal Communication Commission’s (FCC) Small Biz Cyber Planner 2.0, available online, is for you.

Understanding the NIST Cybersecurity Framework—This overview of the popular information security framework provides guidance for how to use it in your business, from the FTC.

Cybersecurity Risk Management—This is the FCC Communications Security, Reliability and Interoperability Council’s report on cybersecurity risk management and best practices.

Manufacturing sector guides

The manufacturing sector has its own set of cybersecurity challenges. In recognition of these special needs, NIST has published a list of security planning guidelines especially for small manufacturers:

Cybersecurity Framework Steps for Small Manufacturers helps small manufacturers understand the NIST Cybersecurity Framework and how they can use it to manage their cyber risks. 

NIST Manufacturing Profile—NISTIR 8183 provides cybersecurity framework details for manufacturing including a guide for reducing cybersecurity risk in accord with manufacturing sector goals and industry best practices.

Manufacturers Guide to Cybersecurity for Small and Medium-Sized Manufacturers outlines common cybersecurity practices for small and medium-sized manufacturers. 

NIST also has compiled a list of software packages to help organizations evaluate the various aspects of their cybersecurity program.

How to Automate Your NIST Compliance Management

There are a number of ways to manage and monitor your NIST compliance. Most of them are arduous. Automation, however, is not.

For example, you may choose to read the NIST CSF and use spreadsheets to write your NIST compliance plan of action and milestones, chart your risk management compliance, identify and fill information security gaps, and keep tabs on the assessment and monitoring of your third-party contractors’ and suppliers’ information systems and NIST compliance. 

With this option, though, you’ll be juggling a lot of documents and toggling a lot of screens. 

Or, if yours is a federal agency or an organization doing business with federal agencies, you can use NIST Special Publication 800-53 to implement the security controls your organization needs to be NIST CSF compliant, and keep track of your progress using, again, spreadsheets.

Or if you’re contracting with the U.S. Department of Defense, you can aim for compliance with NIST 800-171. 

But even all the tips, tricks, and techniques listed in the section above won’t make compliance easy.

Too, you can manually map your compliance with other security and risk management frameworks and requirements including ISO 27001, FISMA, SOC 2, and, for cloud providers, FedRAMP, so you know you’re not duplicating your efforts or doing more for NIST compliance than you need to. 

But manual mapping is laborious, time-consuming, and not cost-effective.

Or you can automate your compliance mapping, management, and monitoring, and let today’s most advanced governance, risk, and compliance (GRC) software do much of the work for you.

The Zen Way to NIST Compliance

ZenGRC does everything you and your people can do for NIST compliance, but faster and more thoroughly. From the moment you log in to our software-as-a-service (SaaS), ZenGRC performs the time-consuming drudge work so you don’t have to, including:

  • Conducting a risk assessment of your information systems and those of your third-party vendors to see where you comply and where you fall short, and enhance your asset management
  • Creating a plan of action and milestones for systems security and displaying it on user-friendly dashboards so you can see in real-time what needs to be done, and who needs to do it
  • Mapping all your compliance efforts and frameworks so you can avoid duplication and use your time and money wisely
  • Providing continuous monitoring of your systems, and flagging you when changes occur that could threaten your NIST compliance
  • Updating itself when NIST changes
  • Conducting automated, unlimited self-audits and organizing your documents in a “single source of truth” repository for easy retrieval at audit time

No more hunting for documentation; no more searching emails or toggling screens: ZenGRC’s centralized, at-a-glance dashboards and simplified self-assessments can make aligning to NIST a worry-free, Zen-like experience. 

Then, you and your personnel will be freer to focus on the task at hand: keeping your data, systems, and networks secure and operational, and your clients and customers happy.

Why not contact us now for your free ZenGRC consultation?

Learn More

Managing Security in the New Normal—What to Consider?

Read more

What is Hybrid Cloud Security?

Read more

What is Security Awareness Training?

Read more