Is NIST Mandatory?Published November 5, 2019 • < 1 min read
Compliance with National Institute of Standards and Technology (NIST) standards is mandatory depending on the industry in which an organization conducts business. Because industries have different risks, the cybersecurity framework’s flexible scheme accommodates the protection of critical infrastructure, as well as other areas involving the economy and national security.
NIST is only mandatory for all United States federal agencies as of 2017. The private sector consumption and use of the NIST framework is voluntary.
Organizations that are designated federal, state, or defense must often comply with specific NIST security requirements outlined in Federal Information Security Management Act of 2002 (FISMA). NIST develops Federal Information Processing Standards (FIPS) in congruence with FISMA. Contractors that do business with the federal government must also comply with the NIST Cybersecurity Framework (CSF). They must also comply with several NIST Special Publications like Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.
The intent behind third-party compliance is to reduce third-party cybersecurity risk. Many federal organizations have robust third party vendor risk management and risk assessment teams to help prevent data breaches.