Frameworks and Standards from the NIST
Founded on March 3, 1901, by the US Congress, the National Institution of Standardization and Technology, or NIST was developed to standardize measurements and repeatable processes.
This isn't a history lesson, so you're spared for now, but I'd like to go into how NIST relates to cybersecurity.
First, the use cases. Frameworks and Standards. In this space (GRC and cybersecurity), we come across controls from special publications (SP) and frameworks such as NIST 800-53, NIST CSF (Cybersecurity Framework), NIST RMF (Risk Management Framework), and others.
From a perspective of efficiency, the most commonly used NIST special publications (SP) are as follows:
- 800-18 (Security Plans - Federal)
- 800-30 (Conducting Risk Assessments)
- 800-37 (Used for Risk Management Framework)
- 800-39 (Managing Risk at the Organizational Level; Similar to ISO 31000)
- 800-53 (Low, Moderate, and High Baselines & respective enhancements for categorization/FIPS-200)
- 800-53a (Assessment Procedures for 800-53)
- 800-61 (Incident Response)
- 800-66 (Implementing HIPAA Security Rule)
- 800-115 (Security Testing / Penetration Testing)
- 800-128 (Configuration Standards)
- 800-137 (Continuous Monitoring)
- 800-161 (Supply Chain Risk Management)
- 800-171 & 171a (CMMC) / (CUI)
- 1800-5 (IT Asset Management)
Remember that these documents do not include other involved references, such as instructions from CNSSI, OMB Circular, or USC. More on this in a future legal-focused post.
The NIST Cybersecurity Framework
While the Special Publications offer in-depth technical guidance, the NIST Cybersecurity Framework (CSF) acts as a higher-level, strategic roadmap. The CSF is not about specific technology choices but rather focuses on five core functions, resulting in layered defense and defense-in-depth.
Identify:
Understand your assets, data, vulnerabilities, and overall risk posture.
Protect:
Implement safeguards, access controls, and other measures to reduce risk.
Detect:
Monitor systems and networks for anomalies that could signal a breach.
Respond:
Have a plan to contain breaches, mitigate damage, and communicate appropriately.
Recover:
Focus on restoring operations and systems after an incident.
The NIST Risk Management Framework (RMF), outlined in publications like NIST SP 800-37, provides a structured, process-oriented approach to managing cybersecurity risk at the organizational level. It's designed to be flexible for use in various types of organizations, including the government and private sector.
Image provided by OpenControl
The RMF consists of seven primary steps:
Prepare:
Establish the context for risk management, including identifying stakeholders, key assets, and organizational risk tolerance.
Categorize:
Determine the potential impact of a security breach on your systems and data to assign an appropriate risk category (low, moderate, or high).
Select:
Based on the categorization, choose a baseline set of security controls from NIST SP 800-53 and tailor them to fit your organization's specific needs.
Implement:
Put the selected controls in place, encompassing technical, operational, and managerial safeguards.
Assess:
Evaluate the effectiveness of implemented controls to ensure they are operating as intended and meeting security goals.
Authorize:
A formal decision by a designated official to either accept the risk of operating a system or to implement additional safeguards to mitigate that risk.
Monitor:
Continuously track systems and controls to detect changes, identify vulnerabilities, and adapt risk management strategies accordingly.
A Note on CMMC
NIST 800-171 is a foundational standard within the Cybersecurity Maturity Model Certification (CMMC), especially important for those in the Defense Industrial Base (DIB). Understanding how CMMC builds upon NIST requirements will be crucial for companies handling controlled unclassified information known as CUI.
Image provided by the Department of Defense
CMMC (Cybersecurity Maturity Model Certification) is a DoD program that enforces cybersecurity standards on its contractors, based on NIST Special Publication 800-171 (NIST SP 800-171). It outlines 110 controls to protect controlled unclassified information (CUI). The program has certification at maturity at three (3) levels, each with increasing cybersecurity requirements.
Think of NIST as the recipe book for good cybersecurity practices – it gives you the ingredients and steps for protecting sensitive information (like that top-secret cookie recipe your grandma won't share). CMMC is like the restaurant inspector that the DoD sends in to make sure your kitchen is up to code.
They check if you're following those NIST recipes and are strict about cleanliness to make sure you're handling that sensitive information safely. Part of this certification includes crucial documents such as system security plans, self-assessment reports, projects of actions and milestones, etc.
Your Security Blueprint (SSP):
A System Security Plan (SSP) is more than just checking boxes. Done well, it documents your security design choices in a way that's both defensible and aligned with NIST controls. This sets the baseline for further security activities.
The Self-Evaluation (SAR): A System Assessment Report (SAR) requires you to honestly evaluate your implementation against the chosen NIST controls. The goal isn't perfection, but identifying gaps and prioritizing remediation plans.
Managing the Mess (POA&Ms):
NIST doesn't end at compliance. POA&Ms track identified weaknesses and mitigation plans. Smart contractors leverage their POA&M process to not just plug gaps, but strategically improve their overall security posture through ongoing projects and investments.
Great, but what does this mean for me?
Well, that depends on you and your role. The NIST publications are typically thought of as only relating to federal or government sectors, however, these vetted publications can be used across various industries.
For example, the role of an ISSO, or Information Systems Security Officer, is typically expected to leverage the NIST RMF (Risk Management Framework), independent of whether they are in the public or private sector.
Should you prioritize patching a vulnerability with a high CVSS score but low exploitability, or focus on a moderate vulnerability with a proven path of exploitation in your industry?
The RMF helps answer these questions. In addition, once the secure system is approved and in-place continuous monitoring efforts will need to be met, which often involve using SP 800-137. It's about correlating log data with threat intelligence, performing active vulnerability scans aligned with your risk profile, and establishing clear baselines to spot anomalies that warrant deeper investigation.
As a DoD contractor, understanding the specific controls detailed in NIST 800-171 and how they're evaluated at different CMMC levels impacts your entire security program. It's more than just buying software; it's about process documentation, evidence collection, and demonstrating a culture of compliance.
In addition, Supply Chain Risk Management needs to be performed, as approved software, hardware, technology, the cloud, etc. come with associated risks and dependencies. In this case, NIST SP 800-161 is appropriate. It isn't just a questionnaire for your vendors. It may involve contractual obligations for them to meet specific NIST-based security requirements, regular third-party assessments, or even limitations on what sensitive data can flow to partners who don't meet your security bar.
Let's look at another role. The CISO, or Chief Information Security Officer. While specific technical controls are important, a CISO uses the NIST Cybersecurity Framework's focus on "Identify, Protect, Detect, Respond, and Recover" as a tool for communicating risk and security priorities to company leadership. It becomes a shared language across both technical and business teams.
The CSF's Recover function highlights that a CISO's responsibility goes beyond breach prevention. Regular disaster recovery testing, tabletop exercises, and proactively developing relationships with incident response firms align with NIST principles to ensure business continuity.
I believe that this is a mindset that should be assumed by all security professionals, from web application development at the application/presentation layer 7 with writing and deploying scripts running on the backend of sites, considering the OWASP Top 10, to physical security on-site.
NIST isn't just about the paperwork. It provides practical guidance on everything from tool selection, and security team training, to how a company interacts with partners and government clients.
Side note: I don't want to make the mistake of associating unofficial references and information with official, but I recommend checking out ProfessorBlackOps on YouTube. I also plan to create videos in my spare time about these topics.
Here are some additional resources that I find particularly useful:
Hopefully, this has been helpful for you. If not, I'll try to improve.
If you would like more information or tools to help advance your cybersecurity efforts, let's connect on LinkedIn or leave a message on the Contact Page.
"If you think technology can solve your security problems, then you don't understand the problems, and you don't understand the technology."
- Bruce Schneier
SHARE
Subscribe.
Sign up for our newsletter to get the latest weekly posts for cybersecurity-related tools and information.
ABOUT
This website is published to share cybersecurity-related information, resources, and posts written and curated by Christopher Monroe.
Created with © systeme.io • Privacy policy • Terms of service