Software Quality.com

NIST (National Institute of Standards and Technology)

By Alexander S. Gillis

What is NIST (National Institute of Standards and Technology)?

NIST (National Institute of Standards and Technology) is a nonregulatory government agency located in Gaithersburg, Md. Founded in 1901 and now part of the U.S. Department of Commerce, NIST develops, promotes and maintains metrics and standards for several industries.

Congress established NIST to provide a measurement structure that rivaled capabilities provided by the United Kingdom, Germany and other major countries.

NIST operates several laboratories to promote the advancement and deployment of technological innovations that enhance security. NIST laboratory programs include engineering, IT, nanoscale science, neutron research, material measurement and physical measurement.

NIST also develops and maintains standards used within science, technology and other industries. These standards help federal agencies, contractors and other businesses that work with the government meet the requirements of different frameworks, such as Federal Information Security Management Act (FISMA), which dictates certain cybersecurity standards. Other organizations in the public and private sector also use these standards as part of their cybersecurity programs.

NIST doesn't offer certifications, but rather develops and promotes guidelines for federal agencies to follow. NIST participates in community outreach programs and roundtable discussions and solicits feedback from government, academia and industry, which is used to develop standards and guidelines. NIST standards are constantly being updated.

What is NIST compliance?

NIST compliance is the process of complying with the requirements of one or more NIST standards. NIST guidance and recommendations help federal agencies and the organizations that contract with them ensure they're compliant with different set regulations.

Compliance with NIST looks different depending on the standards and frameworks an organization follows. The standards are also based on the best practices for that specific industry.

For example, NIST Cybersecurity Framework, which was released in 2014, provides a model for reducing risks to critical infrastructure and is designed to help organizations better understand, manage and reduce their cybersecurity risk. Infrastructure includes energy and water utilities, as well as transportation, financial services, communications, public health, food and agriculture, emergency services, manufacturing and several other sectors. Organizations in these areas use the NIST framework

to improve communications with stakeholders within their businesses, as well as across organizations. Organizations are also using the framework to ensure they're matching up with NIST standards, guidelines and best practices.

Another example of a NIST standard is the recent publication of recommendations and a best practices framework that highlight technical security for deploying microservices-based applications with service mesh. Special Publication (SP) 800-204C illustrates how organizations can save time and improve security when deploying application services.

Benefits of NIST compliance

Benefits of compliance with NIST include the following:

NIST standards and frameworks

Examples of NIST standards include the NIST 800 Series as follows:

How to become NIST-compliant

NIST lists its standards on its official website. The standards and resources made available are based on international best practices, are technology-neutral and can be implemented by organizations of all sizes and federal institutions.

Because of the different possible standards, each implementation of a NIST standard is different. However, some general steps toward compliance with NIST security standards are the following:

As a further example, to follow NIST Cybersecurity Framework, organizations should adhere to the following five fundamental areas for security control:

  1. Identify. This determines how cybersecurity risk is managed, along with what systems, data, resources and capabilities are needed.
  2. Protect. This provides safeguards to contain data security incidents so an organization can continue delivering critical services when needed.
  3. Detect. This determines the protocols in place that identify security events.
  4. Respond. This outlines the actions to take during a cybersecurity incident.
  5. Recover. This step identifies what to do after a cybersecurity attack to maintain business continuity and begin disaster recovery.

Learn more about NIST and other IT security frameworks, such as ISO and COBIT, and their standards.

04 Nov 2022

All Rights Reserved, Copyright 2006 - 2024, TechTarget | Read our Privacy Statement