Guide to NIST Standards and Compliance
In today's technologically advanced modern world, many businesses rely on computers to sort and store information. This can range from small businesses that keep digital records of their sales, to large government-backed organizations keeping tabs on the personal information of its citizens. But as with any information, digital information can be hacked, stolen or otherwise compromised. Physical information can at least be kept under lock and key — digital information, however, requires new standards of protection to avoid being compromised.
The National Institute of Standards and Technology (NIST) is a US government institute that maintains technology, metrics and standards of security within both the science and technology industries. NIST began in 1901 as part of the Department of Commerce (DoC), but quickly evolved into an essential part of business management.
It should be noted that the NIST is different from other guidance-issuing entities such as the Internal Organization for Standardization (ISO), the Defense Federal Acquisition Regulation Supplement (DFARS), and the Cybersecurity Maturity Model Certification (CMMC). The ISO focuses strictly on risk control, the DFARS focuses on obtaining data over securing it, and the CMMC deals directly with the Department of Defense (DoD) and other defense-related groups.
NIST differs from these organizations in that it focuses specifically on protection guidelines and protocols for digital information. It helps set the standards for digital information protection by creating and detailing technological guidelines for businesses to follow, such as the NIST Cybersecurity framework. It also promotes innovation and competition within industries by advancing both scientific standards and technology. This promotes economic security as well as digital security.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) is one of the most widely used NIST standards for cybersecurity. It was originally made for sixteen infrastructure sectors in the US, but has now become a popular framework for identifying and managing cybersecurity risks. It outlines the minimum requirements for protecting digital data without implementing new technology, instead building off of pre-existing technology. The NIST CSF has five core functions:
- Identify: First, all data and devices being used are identified and listed. This includes computers, phones, tablets and other digital devices being used in that organization, as well as any information that's stored on them.
- Protect: Next, the team involved in implementing the functions creates security measures for the devices and their stored data. These can include regular backups, encrypting data, limiting who has login access, and updating security software. Once these security measures are created, the team implements them.
- Detect: In the third step, the team identifies any potential threats and creates detection methods to combat them. Finding these potential threats usually involves analyzing the devices for unauthorized access or software.
- Respond: Next, the team must devise a plan to implement in the event of a cyber attack. This can include how they'll notify their clients of the attack, how to report the attack to local authorities, how to investigate the attack, and how to best continue business operations.
- Recover: Finally, the team makes plans on how to best recover any data or equipment lost in a successful attack.
These five stages can be broken down into categories and subcategories as the situation requires. What's more, since the NIST CSF is a framework, organizations can pick and choose which categories and subcategories to use, depending on which ones are most applicable to them. The CSF is also simple enough to be applied to both big and small businesses.
In addition to the CSF, the NIST sets several other kinds of standards in the effort to protect online information. The standards are separated according to what they're applied to — some sets are mandatory, others are only guidelines.
Federal Information Processing Standards (FIPS)
FIPS are required guidelines for federal computer systems. While they're mostly applicable to federal agencies, they are also voluntarily used by many in private sectors. They can also be utilized by nongovernment organizations who wish to develop strong security programs.
- FIPS 140-2: Security Requirements for Cryptographic Modules
- FIPS 180-4: Secure Hash Standard
- FIPS 186-4: Digital Signature Standard:
- FIPS 197: Advanced Encryption Standard (AES)
- FIPS 198-1: The Keyed-Hash Message Authentication Code (HMAC)
- FIPS 199: Standards for Security Categorization of Federal Information and Information Systems
- FIPS 200: Minimum Security Requirements for Federal Information and Information Systems
- FIPS 201-2: Personal Identity Verification (PIV) of Federal Employees and Contractors
- FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-output Functions
Special Publications (SPs)
The NIST SPs are additional publications on digital security. Federal agencies are required to follow any SP outlined in the FIPS. There are several "series" of SPs, as they are constantly updated. This includes the "1800 series" and the "500 series." The most applicable current set of SPs are the ones known as the "800 series" — these are the ones listed below:
- SP 800-18: Guide for Security System Plan Development. This publication can be tied to the "Protect" function the CSF, as it helps guide security system planning.
- SP 800-30: Guide for Conducting Risk Assessments. This publication can be tied to the "Detect" function of the CSF, as it helps assess risks.
- SP 800-34: Guide for Contingency Plan Development. This publication can be tied to the "Recover" function of the CSF, as it helps to develop contingency plans in case of information leaks.
- SP 800-37: Guide for Applying the Risk Management Framework. This publication can be tied to the "Respond" function of the CSF, as it helps to develop and implement risk management systems.
- SP 800-39: Managing Information Security Risk
- SP 800-53: Controls Catalog, Assessment Procedures and Control Baselines. This publication involves systems that monitor and control the external boundaries of the network and systems that connect to the network. This includes firewalls.
- SP 800-60: Mapping Information Types to Security Categories
- SP 800-128: Security-focused Configuration Management
- SP 800-137: Information Security Continuous Monitoring
- SP 800-160: Systems Security Engineering
- SP 800-161: Supply Chain Risk Management Practices
- SP 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, Assessment Procedures and Enhanced Security Requirements. This publication focuses on protecting CUI in groups that aren't directly connected to the federal government. This is aided by the Supplier Performance Risk System (SPRS), a database that contains all information from vendors identified by their Commercial and Government Entity (CAGE) code.
Interagency Reports (IRs)
IRs are reports created for work performed by NIST for outside sponsors. These can be both government and nongovernment sponsors. As with the SPs, the ones listed below do not constitute the total amount of IRs:
- NISTIR 8011: Automatic Support for Security Control Assessments
- NISTIR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems
NIST compliance is, as the name dictates, complying with the standards of cybersecurity set by the NIST. It also means maintaining these standards as time goes on, even if the standards change over time. All companies that do business with the US government, whether currently or in the future, should comply to NIST standards, including those who are hired temporarily for projects.
There are several benefits to complying with NIST standards, even if it appears that you don't have to:
- Helps to protect your data: In the current era of technological advancement, malware and hacking methods advance just as quickly as the technology they seek to infiltrate. Complying with the NIST standards means that you'll be meeting the current standards for cybersecurity in the industry. Not only will you have a strong defense system in place, you'll also have guidelines for both attempted and successful information leaks.
- Allows compliance with federal and government regulations: Meeting the NIST standards for data protection also helps you meet both federal and government regulations for business security. The Federal Information Security Management Act (FISMA) requires by law that all federal agencies implement information security and protection programs to keep their digital information safe from attack. FISMA not only applies to federal agencies, but state agencies that administer federal programs such as Medicare and private businesses that are involved in contracts with the US government.
- Provides a competitive advantage: Meeting NIST standards shows that your business is dedicated to protecting its information. This makes it appear more reliable, which can give it an edge over competitors.
NIST compliance is more than just a method of keeping a business's information secure. For federal businesses, their security is the security of the American people. If there's an information leak, then the people connected to that information can suffer as well. This also applies to any business that carries sensitive information.
Not only does not complying with NIST standards leave you more vulnerable to cyber attacks, it can make your organization appear less credible overall. This can cause you to miss out on government contracts, as well as lose pre-existing contracts. In the worst-case scenario, you can even suffer legal repercussions.
NIST is not the only standard nor method for maintaining cybersecurity. While it may be the main organization dedicated to outlining it, there are other US organizations, acts and programs that aid NIST in its mission to maintain high standards of technological security.
As described above, FISMA is a federal act implemented in 2002, requiring all federal agencies to implement security measures in order to protect their digital information. It is closely connected to NIST in that it enforces the guidelines that NIST lays out. It also has its own set of rules, regulations and guidelines. For example, the FISMA compliance framework, similar to the NIST CSF, creates a list of functions in order to manage cybersecurity standards:
- Information system inventory: All systems used for information in the organization must be counted and recorded.
- Risk Categorization: Organizations must categorize their information according to the highest risk level it faces in the event of a security breach.
- System Security Plan: The organization must have a security plan in place, and the plan must be updated regularly in order to maintain efficiency in the event of a cyber attack.
- Risk Assessment: Every time the security plan is updated, it must be tested in order to assess associated risk.
- Certification and Accreditation: FISMA dictates that each organization conduct a yearly security review. If the organization passes, it will receive certification that it is FISMA compliant.
- Continued Monitoring: The organization's systems must be monitored for any issues, so that necessary changes can be made in a timely manner.
Some of these steps coincide with the functions of the NIST CSF, while some can enhance the functions to create even stronger security. Failure to comply with these standards can lead to a loss of federal funding.
Enterprise Mission Assurance Support Service (eMass)
eMass is a DoD-recommended tool meant to aid in cybersecurity, created by the Defense Information Systems Agency (DISA). It is web-based and Government-off-the-shelf (GOTS), meaning it was developed by and meant to be used by a government agency. This system allows for more time to be spent on security protocol development. The program has several functions, including:
- Generates reports: eMass can automatically generate cybersecurity reports, specifically the Risk Management Framework (RMF) and DoD Information Assurance Certification and Accreditation Process (DIACAP) Package Reports.
- Manages activities: eMass automatically manages all cybersecurity compliance activities on the device.
- System inheritance: A fully automatic inheritance system allows the device to inherit security control statuses from other systems, among other things.
- Collaborative security assessments: eMass allows for collaborative security assessments from Integrated Project Teams, no matter their location.
While eMass is not a required tool for cybersecurity, it is highly useful in security management procedures. It also comes with training courses for those who are unsure how to properly implement it.
The US DoD is the largest US government organization. It focuses on the security of the United States, both in terms of military and in terms of homeland defense. This can and often does include matters of digital security as well.
While the NIST is not a part of DoD, the two have occasionally worked together on matters of cybersecurity infrastructure. It should also be noted that any contractors who wish to work with the DoD must be NIST compliant in order to be approved. The most focus should be directed toward following the regulations laid out in SP 800-171, which protects the confidentiality of CUI.
How NQA can Help
Given the ever-evolving threats in the digital realm, it's important to keep your business's information safe and secure. To that end, it's important to keep up with NIST standards and strive to meet them. Failing to meet NIST standards can leave you business at risk of both cybersecurity breaches and legal trouble. However, knowing where to start in bringing your security standards up to code can be daunting, considering the scope of modern technology.
If you're not sure how to meet NIST guidelines, consider NQA. NQA is a global certification business, providing certification, training and support for businesses worldwide. We serve a broad range of industries, including space, defense, civil aviation, telecommunications, industrial, electronics and more. With NQA, you can expect practical advice in order to help your business comply with legal industry standards. Contact us today for information on training, scheduling, quotes for certification and more.