NIST Resources
National Institute of Standards and Technology frameworks and publications
The National Institute of Standards and Technology (NIST) provides comprehensive frameworks, standards, and guidelines for cybersecurity, risk management, and software development. These resources are essential for organizations seeking to implement robust security practices.
NIST Cybersecurity Framework (CSF)
The NIST Cybersecurity Framework provides a structure for organizations to manage and reduce cybersecurity risk.
Framework Core Functions
┌─────────────────────────────────────────────────────────────────────────────┐
│ NIST CYBERSECURITY FRAMEWORK │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ IDENTIFY│──▶│ PROTECT │──▶│ DETECT │──▶│ RESPOND │──▶│ RECOVER │
└─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
Asset Access Security Incident Recovery
Management Control Monitoring Response Planning
Risk Mgmt Awareness Detection Analysis Improvements
Governance Data Sec Anomalies Mitigation CommsFunction Categories
| Function | Purpose | Key Activities |
|---|---|---|
| Identify | Understand cybersecurity risk | Asset management, risk assessment |
| Protect | Safeguard critical services | Access control, awareness training |
| Detect | Identify cybersecurity events | Continuous monitoring, detection |
| Respond | Take action on detected events | Response planning, communications |
| Recover | Restore capabilities | Recovery planning, improvements |
Implementation Tiers
| Tier | Description | Characteristics |
|---|---|---|
| Tier 1 | Partial | Ad hoc, reactive |
| Tier 2 | Risk Informed | Risk-aware, not org-wide |
| Tier 3 | Repeatable | Consistent, formal policies |
| Tier 4 | Adaptive | Continuous improvement |
NIST 800-53 Security Controls
NIST Special Publication 800-53 provides a catalog of security and privacy controls for federal information systems.
Control Families
| ID | Family | Description |
|---|---|---|
| AC | Access Control | Who can access what |
| AT | Awareness and Training | Security education |
| AU | Audit and Accountability | Logging and monitoring |
| CA | Assessment, Authorization | Control evaluation |
| CM | Configuration Management | Secure configurations |
| CP | Contingency Planning | Business continuity |
| IA | Identification and Authentication | Identity verification |
| IR | Incident Response | Security incident handling |
| MA | Maintenance | System maintenance |
| MP | Media Protection | Media handling |
| PE | Physical and Environmental | Physical security |
| PL | Planning | Security planning |
| PM | Program Management | Security program |
| PS | Personnel Security | Personnel screening |
| RA | Risk Assessment | Risk identification |
| SA | System and Services Acquisition | Secure development |
| SC | System and Communications Protection | Data protection |
| SI | System and Information Integrity | System integrity |
| SR | Supply Chain Risk Management | Supply chain security |
Control Baselines
| Impact Level | Controls | Use Case |
|---|---|---|
| Low | ~125 controls | Low-impact systems |
| Moderate | ~325 controls | Most federal systems |
| High | ~421 controls | Critical systems |
NIST Risk Management Framework (RMF)
The RMF provides a structured process for managing security and privacy risk.
RMF Steps
┌─────────────────────────────────────────────────────────────────────────────┐
│ RISK MANAGEMENT FRAMEWORK │
└─────────────────────────────────────────────────────────────────────────────┘
┌───────────┐
│ PREPARE │ Establish context, priorities, resources
└─────┬─────┘
│
▼
┌───────────┐
│CATEGORIZE │ Categorize system based on impact
└─────┬─────┘
│
▼
┌───────────┐
│ SELECT │ Select appropriate security controls
└─────┬─────┘
│
▼
┌───────────┐
│ IMPLEMENT │ Implement and document controls
└─────┬─────┘
│
▼
┌───────────┐
│ ASSESS │ Assess control effectiveness
└─────┬─────┘
│
▼
┌───────────┐
│ AUTHORIZE │ Authorize system operation
└─────┬─────┘
│
▼
┌───────────┐
│ MONITOR │ Continuously monitor controls
└───────────┘NIST 800-Series Publications
Key Publications
| Publication | Title | Purpose |
|---|---|---|
| 800-37 | Risk Management Framework | RMF guidance |
| 800-53 | Security and Privacy Controls | Control catalog |
| 800-53A | Assessing Security Controls | Assessment procedures |
| 800-61 | Incident Handling Guide | Incident response |
| 800-63 | Digital Identity Guidelines | Authentication |
| 800-88 | Media Sanitization | Data destruction |
| 800-115 | Technical Security Testing | Penetration testing |
| 800-171 | Protecting CUI | Contractor requirements |
Software Development Publications
| Publication | Title | Use Case |
|---|---|---|
| 800-160 Vol. 1 | Systems Security Engineering | Secure system design |
| 800-160 Vol. 2 | Cyber Resiliency | System resilience |
| 800-218 | Secure Software Development Framework (SSDF) | DevSecOps |
Secure Software Development Framework (SSDF)
NIST SP 800-218 defines practices for secure software development.
SSDF Practice Groups
| Group | Focus | Practices |
|---|---|---|
| Prepare (PO) | Organization preparation | Define requirements, roles, tools |
| Protect (PS) | Protect software | Secure environments, code protection |
| Produce (PW) | Produce secure software | Design, code, test securely |
| Respond (RV) | Respond to vulnerabilities | Identify, remediate, disclose |
Key Practices
SSDF_Practices:
Prepare:
- PO.1: Define security requirements
- PO.2: Implement roles and responsibilities
- PO.3: Implement supporting toolchains
- PO.4: Define criteria for software security checks
- PO.5: Implement and maintain secure environments
Protect_Software:
- PS.1: Protect all forms of code
- PS.2: Provide software integrity verification
- PS.3: Archive and protect release data
Produce_Well_Secured:
- PW.1: Design to meet security requirements
- PW.2: Review software design
- PW.4: Reuse secure software
- PW.5: Create source code adhering to standards
- PW.6: Configure compilation to secure code
- PW.7: Review and analyze human-readable code
- PW.8: Test executable code
- PW.9: Configure software to have secure settings
Respond_Vulnerabilities:
- RV.1: Identify and confirm vulnerabilities
- RV.2: Assess vulnerabilities
- RV.3: Remediate vulnerabilitiesUsing NIST Resources in NUP
Mapping to NUP Phases
| NUP Phase | NIST Resources |
|---|---|
| Inception | Risk Assessment (800-30), System Categorization |
| Elaboration | Control Selection (800-53), Security Requirements |
| Construction | SSDF Practices, Secure Coding |
| Transition | Control Assessment (800-53A), Authorization |
| Operations | Continuous Monitoring, Incident Response |
Integration Points
- Requirements: Map to NIST control requirements
- Design: Apply 800-160 security engineering
- Implementation: Follow SSDF practices
- Testing: Use 800-115 testing guidance
- Deployment: Complete RMF authorization
- Operations: Implement continuous monitoring
Related Resources
- Security
- FedRAMP Guidelines
- Security Checklists
- NIST Cybersecurity Framework
- NIST 800-53 Controls
- Risk Management Framework
- SSDF (800-218)
- NIST Computer Security Resource Center
Compliance
This section fulfills ISO 13485 requirements for regulatory requirements (4.1.1) and risk management (7.1), and ISO 27001 requirements for information security policies (A.5.1), compliance with legal requirements (A.5.31), and risk management (6.1).
How is this guide?
Last updated on