What Are NIST Data Center Security Standards?Published March 10, 2020 • 3 min read
The National Institute of Standards and Technology (NIST), a non-regulatory government agency that belongs to the U.S. Department of Commerce, is responsible for creating security standards to enhance efficiency in data centers.
Organizations whose data centers follow the NIST security standards can be assured of the security of their critical business data.
The NIST security standards cover data center infrastructure as well as information technology and supporting applications. Key features of the NIST security standards are based on information security and cybersecurity.
Some of the publications that cover data center security include:
NIST 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations
NIST 800-53 deals with security controls and privacy controls for federal information systems and organizations. NIST 800-53 offers security controls and privacy controls in the areas of application security, mobile, and cloud computing, and supply chain security. NIST 800-53 also includes a catalog of controls that support the development of secure and resilient federal information systems.
NIST 800-53 provides security controls that enable real-time monitoring of systems, providing executives with the right data to make critical business decisions in the event of high-risk situations.
NIST 800-53 establishes the security standards that federal agencies use to implement the Federal Information Security Management Act as well as to manage other programs that protect data and promote information security.
NIST 800-30 – Guide for Conducting Risk Assessments
NIST 800-30 covers the topic of conducting risk assessments. NIST 800-30 describes the differences between threats, vulnerabilities, risks, and uncertainties. It also evaluates the likelihood that they will occur and their impacts on an organization. These NIST standards advocate creating a risk management framework that includes such critical steps as categorization, selection, implementation, assessment, authorization, and monitoring.
Several organizations offer cybersecurity frameworks that can help data centers establish a solid base for their cybersecurity planning.
NIST 800-171- Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
NIST 800-171 includes information that pertains to the physical security of data centers, such as only allowing authorized individuals’ physical access to information systems, equipment, and any operating environments. NIST 800-171 also includes information about escorting and monitoring visitors, keeping logs of physical access, controlling devices that enable physical access to a data center and enforcing policies regarding security controlled unclassified information at alternative work sites.
ISO 27001 Information Security Management System Standard
This is the most widely-accepted certification for supporting information security, physical security, and business continuity.
ISO 27001 ensures that:
- Risks and threats to the business are assessed and managed.
- Physical security processes, such as restricted/named access, are enforced consistently.
- Audits are conducted regularly at each site.
The ISO 27001security standard evaluates risks to information assets, including personnel, IT systems, processes, and intellectual property.
Organizations that receive ISO 27001 certifications demonstrate that they have implemented security best practices for protecting information and managing risk. For data centers, it also indicates to potential colocation customers that the data center is committed to meeting high levels of information security.
The Federal Risk and Authorization Management Program (FedRAMP) relies on several of the NIST documents, including 800-53 as a library of system controls, and 800-37 for risk management.
But it’s important to note the difference between NIST versus FedRAMP.
NIST provides standards and guidelines around risk management, information security, and privacy controls for information systems used by the U.S. federal government. FedRAMP uses the NIST guidelines in its own framework to enable U.S. government agencies to use cloud services securely and efficiently.
While FedRAMP is not required for private organizations that aren’t related to federal agencies or departments, it is strongly recommended for all companies using cloud computing for consistency and efficiency.