The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, establishes best practices that are considered the standard throughout the world. Some of their standards focus specifically on information security and privacy and are particularly important when assessing cyber posture.
The NIST’s robust InfoSec and privacy standards are valuable because they are well thought-out, extremely practical and create a common language for discussing security and privacy. For these reasons, aligning with NIST can be highly advantageous for organizations. Best of all? Unlike other control frameworks such as ISO, the NIST’s standards are available for free.
What are some of the NIST standards that your organization should consider aligning with? Here are four to consider.
NIST’s comprehensive 800-53 is the Security and Privacy Controls for Federal Information Systems and Organizations, and it includes 800 controls. These security guidelines cover 18 areas including awareness and training, business continuity, incident response and access control.
The goal of these controls is to make federal information systems more resilient while promoting their integrity, confidentiality and security. Even though this was created for the US federal government, it’s become the standard for private contractors that work with the federal government. By aligning with 800-53, your organization will be able to comply with regulations more easily.
NIST’s Cybersecurity Framework (CSF) is considered a trusted resource for bettering security operations and governance for public and private organizations. The CSF is derived from 800-53 and is framed in business terms, which can often make it easier to digest.
The CSF is organized into five essential functions called the Framework Core. They include:
These functions consist of 21 categories and more than 100 subcategories, which refer to frameworks such as ISO, ISA and more. The CSF also delineates tiers that indicate an organization’s level of cybersecurity risk and what processes are in place to mitigate that risk. By finding out in which CSF tier your organization stands, you can benchmark your cyber posture.
To understand NIST’s Special Publication 800-171, it’s important to explain what is Controlled Unclassified Information. CUI is defined as information that is sensitive and relevant to US interests, but not regulated by the Federal government. Each Federal agency has a registry that defines its CUI; for example, financial CUI could include budgets, mergers and electronic funds transfers.
NIST’s 800-171 was developed after the 2003 creation of the Federal Information Security Management Act (FISMA), and was intended to improve cybersecurity. The idea was to ensure that unclassified information would be protected, which would ultimately help the federal government securely carry out its business operations.
800-171 standards must be met by any business that processes CUI for federal or state agencies such as NASA or the Department of Defense. It involves implementing and verifying compliance and creating security protocols for 14 areas, including access control, identification and authentication and risk assessment.
The Privacy Framework provides the building blocks for privacy compliance by establishing overall best practices for privacy in business-friendly language. In doing so, it also outlines a process that will ultimately lead to what is known as “privacy by design,” meaning that privacy will be considered throughout system engineering and maintenance.
Most significantly, the NIST Privacy Framework succeeds in introducing an approach to privacy that can ultimately streamline organizations’ compliance.
Panorays can help your organization make sure your third parties are aligned with one or more of NIST’s robust standards. Our automated questionnaire can be set to check for NIST, and our comprehensive scan of third parties’ attack surfaces can verify many of the NIST controls.
Want to learn more about how Panorays can help you and your third parties align with NIST? Request a demo today.