When people in information security refer colloquially to the NIST frameworks, they're likely referring to three specific NIST documents on cybersecurity best practices: NIST 800-53, NIST 800-171, and the NIST Cybersecurity Framework. Two of these three documents specify required controls for either U.S. federal agencies or any organizations which work with U.S. federal government data, but all three documents contain best practices that are helpful for any cybersecurity organization to use as a baseline in their own security operations.
NIST, or the National Institute of Standards and Technology, is a federal agency within the US Chamber of Commerce that spans manufacturing, quality control, and information security, among other industries. The agency collaborated with security industry experts, other government agencies, and academics to establish a set of controls and balances to help operators of critical infrastructure manage cybersecurity risk. Today, many organizations leverage NIST guidelines to manage and reduce risks that could impact their environment and their customers.
NIST Special Publication 800-53, titled “Security and Privacy Controls for Federal Information Systems and Organizations,” is primarily relevant to federal agencies as they work to become and stay compliant with the Federal Information Security Management Act (FISMA). 800-53 does include generalized guidance to help agencies understand how a robust risk management and information security program should function, but it’s best known for taking the high-level requirements of FISMA and providing a deep dive into each of its components, helping organizations understand the specific kinds of security controls they'll need to implement to be in FISMA compliance.
It’s a hefty document, clocking in at over 450 pages as of revision 4, so NIST has a number of data categorizations to help readers better understand what guidance applies to them. NIST 800-53 classifies all of the controls into eighteen security control "families" for ease of understanding. Even within the eighteen families of security controls, there are numerous subcategories and controls outlined within; to help organizations understand where to start and how to prioritize the controls to implement, NIST has given each control a priority code (from 1 for high priority, meaning implement first, to 3 as low priority). NIST recommends implementing all P1 controls in 800-53 before tackling P2 and P3.
800-53 also helps agencies understand the desirable baseline level of rigorousness for controls for different kinds of systems. These baseline levels (low, medium, high) depend on that system's potential overall organizational impact, which is a function of that system’s impact on confidentiality, integrity, and availability. Armed with the control's priority and potential effect on different systems, agencies can more easily navigate this hefty document and come away with actionable steps and a path to improvement.
As of September 2017, 800-53 is in its fourth revision, with the fifth revision in active development. The fifth revision so far contains a number of changes to language to help 800-53's guidance apply to information security systems more broadly across all industries and enterprises, not just those that work with the federal government.
NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” is directly related to 800-53. Like 800-53, 800-171 also provides guidance on security practices and controls that federal agencies must implement, but in this case, it focuses on a narrow subset of organizations that specifically handle Controlled Unclassified Information (CUI).
Due to an addendum to DFARS, or the Defense Federal Acquisition Regulation Supplement, published in December 2015, any organization that works in or with the United States government and stores, transmits or otherwise handles sensitive government data needs to follow the policies outlined in 800-171 and demonstrate compliance with it by the end of 2017, per government order. 800-171 also groups the various compliance requirements into fourteen “families,” not unlike 800-53’s categorization of security controls.
The NIST “Framework for Improving Critical Infrastructure Cybersecurity” takes a more generalized and high-level approach to security best practices than 800-53 and 800-171. This framework outlines key concepts and processes to keep in mind when designing a robust security practice, regardless of the organization type implementing the guidance. Though, as the title suggests, much of the document’s advice is primed for critical infrastructure organizations, like banks and public utilities.
NIST’s goal with the Cybersecurity Framework is to help organizations determine what processes and controls are most relevant to their unique challenges, and how best to implement and test the efficacy of the security measures they put in place. The Framework doesn’t list tables of security controls; instead, it classifies its key points into 5 areas that comprise the Framework Core: Identify, Protect, Detect, Respond, and Recover. Within these five areas, NIST provides industry-agnostic guidance to help organizations achieve ideal security-related levels of competence and compliance.
Unlike 800-53 and 800-171, which are tied to FISMA and CUI compliance regulations respectively, the Cybersecurity Framework’s best practice guidelines are by no means required in any compliance program.
The depth and breadth of advice within the NIST framework documents are a great resource for federal agencies or organizations working with the U.S. federal government at the very least. However, any organization outside the scope of FISMA compliance can also turn to NIST guidelines to model their own compliance programs and security baselines. If your organization is looking for a thorough examination of how best practices can be applied through compliance and regulatory frameworks, you would be well served by studying NIST’s framework documents.