The expert's guide to NIST SP 800-53
Introducing the Expert's Guide to NIST SP 800-53
This authoritative guide is based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, which provides guidance for federal agencies on selecting, implementing, and managing information security controls. The guide covers a wide range of topics, including risk assessment, security control selection, security control implementation, and security control monitoring. It also provides detailed information on the security controls that should be implemented in the organization, as well as guidance on how to assess and monitor the effectiveness of those controls. Additionally, the guide provides detailed information on the Federal Information Security Management Act (FISMA) and its requirements for information security. The guide is intended to help organizations ensure that their information systems are secure and compliant with applicable laws and regulations.
What is NIST SP 800-53?
NIST SP 800-53 is a comprehensive security compliance standard that provides a catalog of security and privacy controls for information systems. This standard was created by the National Institute of Standards and Technology (NIST), which is a part of the U.S. Department of Commerce. NIST SP 800-53 is specifically designed for U.S. federal information systems, except those related to national security, but its guidelines can be adopted by any organization that handles sensitive or regulated data.
The primary objective of NIST SP 800-53 is to provide a set of controls that can be used to secure federal information systems. These controls are divided into 18 categories, which cover a broad range of security topics. Some of the categories include access control, audit and accountability, configuration management, incident response, and system and communication protection.
NIST SP 800-53 also includes guidance on how to implement the controls, how to assess compliance with the controls, and how to monitor and maintain the controls over time. The standard is designed to be technology-neutral, meaning that it does not prescribe specific technologies or products. Instead, it focuses on best practices and general security principles that can be applied to a wide range of information systems.
The controls outlined in NIST SP 800-53 are intended to protect against a variety of threats, from natural disasters to hostile attacks. By implementing these controls, organizations can help safeguard their information systems against unauthorized access, theft, damage, and other types of security incidents.
Overall, NIST SP 800-53 is an essential resource for any organization that handles sensitive or regulated data, including government agencies, financial institutions, healthcare providers, and other organizations that deal with confidential information. The standard provides a comprehensive framework for building a strong and effective security program, and can help organizations demonstrate compliance with regulatory requirements and industry best practices.
What is the goal of NIST SP 800-53?
The primary goal of NIST SP 800-53 is to provide a comprehensive and flexible catalog of controls for protecting information systems from a wide range of threats. This standard was created to help organizations establish a strong foundation for risk management, particularly in the face of rapidly changing technology and evolving threats.
The controls outlined in NIST SP 800-53 are designed to be adaptable to a variety of situations and environments. This flexibility allows organizations to tailor their security approach to their specific needs, while still adhering to established best practices. Additionally, the standard provides a common language for discussing risk management concepts, which can help improve communication between different teams and organizations.
Another key goal of NIST SP 800-53 is to establish a foundation for assessing the effectiveness of security controls. The standard defines a set of metrics and evaluation criteria that can be used to determine whether a particular control is meeting its intended purpose. By regularly assessing the effectiveness of their security controls, organizations can identify potential vulnerabilities and take steps to mitigate them before they can be exploited by attackers.
NIST SP 800-53 also aims to improve communication and collaboration across different organizations and industries. By providing a common lexicon for discussing risk management concepts, the standard can help break down communication barriers between different teams and organizations. This can facilitate more effective collaboration on security issues and enable organizations to work together to address shared threats and vulnerabilities.
In summary, the goal of NIST SP 800-53 is to establish a comprehensive and flexible framework for protecting information systems from a wide range of threats. By providing a common language for discussing risk management concepts, improving the effectiveness of security controls, and facilitating collaboration across different organizations, this standard can help organizations improve their security posture and better protect sensitive information.
Who must comply with NIST SP 800-53?
NIST SP 800-53 is a widely recognized information security standard developed by the National Institute of Standards and Technology (NIST) for protecting sensitive information and information systems. The standard applies to all federal information systems, but also provides a framework for any organization seeking to improve its information security practices. In this article, we will explore who must comply with NIST SP 800-53 and why.
Federal Agencies and Contractors
NIST SP 800-53 is mandatory for all federal information systems, including those used by government agencies and contractors. The standard helps ensure that sensitive information is adequately protected and that the security controls in place are consistent across different agencies and contractors. Compliance with NIST SP 800-53 is required by law and failure to comply can result in financial penalties, loss of contracts, and damage to an agency's reputation.
Organizations Working with the Federal Government
Organizations that work with the federal government are also required to comply with NIST SP 800-53 as a condition of doing business. This includes contractors, suppliers, and service providers who process, store or transmit sensitive information on behalf of the government. Compliance with the standard is usually a contractual obligation that must be met in order to maintain the relationship with the government.
State, Local and Tribal Governments
While compliance with NIST SP 800-53 is mandatory for federal information systems, state, local and tribal governments are not required to comply with the standard. However, many of these organizations have voluntarily adopted NIST SP 800-53 as a framework for their information security programs. This is because the standard provides a comprehensive and flexible set of controls that can be adapted to meet the unique needs and risk profiles of different organizations.
Private companies are not required to comply with NIST SP 800-53, but many organizations have adopted the standard as a best practice for information security. Compliance with the standard can help organizations improve their security posture, protect sensitive information, and meet regulatory requirements. The standard provides a set of controls that can be customized to meet the unique needs and risk profiles of different organizations, making it a flexible framework for information security management.
In conclusion, NIST SP 800-53 is a widely recognized information security standard that provides a comprehensive set of controls for protecting sensitive information and information systems. Compliance with the standard is mandatory for federal information systems and organizations working with the government, but the framework can be adapted for use by state, local and tribal governments and private companies as well. By adopting NIST SP 800-53, organizations can improve their security posture, protect sensitive information, and meet regulatory requirements.
What are the benefits of NIST SP 800-53?
NIST Special Publication (SP) 800-53 provides a comprehensive set of guidelines for information security and privacy controls for federal information systems. While it is mandatory for federal information systems, there are also significant benefits for private organizations that voluntarily comply with the standard.
Improved Security Posture
The most significant benefit of complying with NIST 800-53 is the improvement in security posture. By following the standard's 18 control families, organizations can select the appropriate security controls, policies and procedures to protect their information security and privacy. This not only helps prevent security breaches but also reduces the risk of financial loss, damage to reputation, and legal action resulting from security incidents.
Customizable Control Selection
NIST 800-53 encourages organizations to analyze each security and privacy control they select to ensure its applicability to their infrastructure and environment. This customization process helps ensure that the selected controls not only meet security and compliance requirements but also align with the organization's business goals and priorities.
Cost-Effective Application of Controls
NIST 800-53 promotes consistent, cost-effective application of controls across an organization's information technology infrastructure. This approach helps organizations allocate their resources effectively, reducing unnecessary costs and ensuring that resources are used to address the highest priority security risks.
Compliance with Other Regulations and Programs
Following NIST 800-53 guidelines helps organizations build a solid foundation for compliance with other regulations and programs like HIPAA, DFARS, PCI DSS and GDPR. By implementing the recommended security and privacy controls, organizations can demonstrate their commitment to information security and compliance, reducing the risk of non-compliance penalties and improving their reputation with stakeholders.
In summary, compliance with NIST 800-53 provides organizations with a comprehensive framework for information security and privacy controls. The benefits of compliance include improved security posture, customizable control selection, cost-effective application of controls, and compliance with other regulations and programs. By implementing NIST 800-53 guidelines, organizations can demonstrate their commitment to information security and privacy, reduce the risk of security incidents, and protect their reputation and financial stability.
What data does NIST SP 800-53 protect?
NIST SP 800-53 is a security and privacy framework developed by the National Institute of Standards and Technology. Its purpose is to provide guidelines and controls for federal information systems and organizations that process, store, and transmit sensitive information.
One important aspect of NIST SP 800-53 is its approach to data protection. While the standard does not provide a list of specific information types, it does offer recommendations for classifying the types of data your organization creates, stores and transmits. These recommendations are based on data sensitivity, and they can help you better understand the kind of data your organization handles on a regular basis.
Here are some classifications that NIST SP 800-53 suggests:
Controlled Unclassified Information (CUI): CUI is a category of sensitive information that is not classified as "top secret" or "secret," but that still requires protection from unauthorized disclosure. Examples of CUI include financial information, medical records, and personally identifiable information (PII). If your organization handles CUI, you should take steps to protect it from unauthorized access, disclosure, or modification.
Personal Identifiable Information (PII): PII is any information that can be used to identify an individual, such as their name, address, phone number, social security number, or driver's license number. PII is highly sensitive, and organizations that handle it must take special care to protect it from unauthorized access or disclosure.
Confidential information: Confidential information is information that is not intended to be disclosed to unauthorized individuals. It includes trade secrets, financial information, and other sensitive information that could harm the organization if it were to be made public. If your organization handles confidential information, you should take steps to protect it from unauthorized access or disclosure.
Proprietary information: Proprietary information is information that is unique to your organization, and that gives you a competitive advantage. Examples of proprietary information include product designs, business plans, and customer lists. If your organization handles proprietary information, you should take steps to protect it from unauthorized access or disclosure.
Classified information: Classified information is information that has been classified according to the level of sensitivity and the potential impact to national security. Examples of classified information include military plans, intelligence reports, and nuclear weapon designs. If your organization handles classified information, you should take steps to protect it from unauthorized access, disclosure, or modification.
NIST SP 800-53 also provides a set of security controls that organizations can use to protect their data. These controls are designed to help organizations identify and mitigate security risks, and they can be customized to meet the needs of individual organizations.
In conclusion, NIST SP 800-53 provides a comprehensive framework for organizations to protect their sensitive data. By classifying the types of data they handle, and by implementing appropriate security controls, organizations can reduce the risk of data breaches and other security incidents.
Components of NIST 800-53
NIST 800-53 consists of a comprehensive set of security controls, control enhancements, and common controls that organizations can utilize to protect their information systems and ensure compliance with security standards. These components serve as vital resources for organizations in establishing and implementing effective security programs.
The security controls provided by NIST 800-53 offer a wide range of measures to address various aspects of information security. These controls encompass areas such as access control, identification and authentication, incident response, contingency planning, and many more. By implementing these controls, organizations can mitigate risks, prevent unauthorized access, and safeguard their information systems from potential threats.
NIST 800-53 also includes control enhancements that build upon the foundation of security controls. These enhancements provide organizations with additional measures and guidelines to strengthen their security posture and further protect their information systems. By implementing these enhancements, organizations can tailor their security controls to align with their specific needs and requirements.
To categorize the extensive list of security controls and enhancements, NIST 800-53 introduces the concept of security control families. These families categorize the controls based on specific security objectives, such as access control, audit and accountability, system and communications protection, and many more. By organizing controls into families, organizations can easily identify and select the controls that are most relevant to their information systems and operational environment.
Overall, the components of NIST 800-53, including security controls, control enhancements, and common controls, provide organizations with a robust framework to effectively protect their information systems and ensure compliance with security standards. Utilizing these components, organizations can enhance their security programs and bolster their defenses against potential threats. For streamlined and simplified compliance with NIST 800-53, organizations can leverage platforms like 6clicks, which offer comprehensive solutions for managing and demonstrating adherence to the security controls and requirements outlined in the framework.
What are the NIST 800-53 control families?
NIST 800-53 is a comprehensive cybersecurity framework that provides a catalog of security and privacy controls for federal information systems and organizations. The framework is designed to assist organizations in managing and protecting their information systems from cyber threats, while also ensuring compliance with federal regulations and industry best practices.
There are 20 distinct control families in NIST 800-53, each containing a range of controls that relate to a specific area of cybersecurity. Here are some of the key control families in the framework:
- Access Control: The Access Control family includes controls that relate to device and user access to the system. This family is critical for maintaining the security and integrity of information systems, as it ensures that only authorized individuals can access sensitive information. Some of the controls in this family include authentication, password management, and access revocation.
- Audit and Accountability: The Audit and Accountability family includes controls that relate to the monitoring and recording of system activity. These controls are essential for detecting and preventing cyber threats, as they provide organizations with a record of system activity that can be used to identify suspicious behavior or incidents. Some of the controls in this family include audit generation, audit review, and audit retention.
- Security Assessment and Authorization: The Security Assessment and Authorization family includes controls that relate to the assessment and authorization of information systems. This family is critical for ensuring that information systems meet security requirements and are authorized for use. Some of the controls in this family include risk assessments, security authorization, and continuous monitoring.
- Configuration Management: The Configuration Management family includes controls that relate to the management of information system configurations. These controls are essential for ensuring that information systems are configured correctly and securely. Some of the controls in this family include configuration management planning, configuration change control, and baseline configuration.
- Incident Response: The Incident Response family includes controls that relate to the management of cybersecurity incidents. These controls are essential for detecting and responding to cyber threats quickly and efficiently. Some of the controls in this family include incident response planning, incident response testing, and incident reporting.
- System and Communications Protection: The System and Communications Protection family includes controls that relate to the protection of information systems and communications. These controls are critical for ensuring that information systems are protected from cyber threats and that communications are secure. Some of the controls in this family include boundary protection, encryption, and system monitoring.
- System and Information Integrity: The System and Information Integrity family includes controls that relate to the integrity of information systems and data. These controls are critical for ensuring that information systems are reliable and that data is accurate and secure. Some of the controls in this family include malware protection, software updates, and information system monitoring.
In conclusion, the NIST 800-53 cybersecurity framework provides a comprehensive catalog of security and privacy controls that organizations can use to protect their information systems from cyber threats. The framework is organized into 20 distinct control families, each containing controls that relate to a specific area of cybersecurity. By implementing these controls, organizations can improve their cybersecurity posture and ensure compliance with federal regulations and industry best practices.
How can you determine which NIST SP 800-53 controls to comply with?
NIST SP 800-53 provides a comprehensive framework for information security and privacy controls. However, with over 1,000 controls across 20 distinct control families, selecting the appropriate controls can be a daunting task. To determine which controls to comply with, an organization must first conduct a risk assessment and then select controls that align with its risk management strategy.
- Conduct a risk assessment: A risk assessment helps to identify potential risks and threats to the organization's information systems and data. It also helps to identify vulnerabilities and potential impacts of those risks. A thorough risk assessment involves identifying and assessing the likelihood and impact of risks, determining the risk tolerance of the organization, and identifying the necessary controls to mitigate the risks.
- Determine the organization's risk management strategy: Once the risks have been identified and assessed, the organization should develop a risk management strategy. This strategy should outline the controls necessary to manage the identified risks effectively. It should also specify the organization's risk tolerance and any additional controls required to meet regulatory and legal requirements.
- Select controls based on risk management strategy: After determining the risk management strategy, the organization should select the appropriate controls that align with the strategy. The selection process should consider the specific risks and vulnerabilities of the organization's information systems, data, and assets. The organization should select controls that will mitigate risks effectively and efficiently and align with its risk tolerance.
- Tailor the control baselines: NIST SP 800-53B provides tailoring guidance and assumptions that help organizations customize their security and privacy control baselines. The tailoring guidance enables organizations to align the control baselines with their critical and essential operations, assets, and individuals' privacy. Organizations can customize their control baselines by adding, modifying, or removing controls to align with their risk management strategy.
- Keep controls up to date: Organizations should regularly review and update their controls to ensure that they remain effective in mitigating risks. As new threats and vulnerabilities emerge, the organization must adjust its controls to align with the new risks. It is also essential to ensure that the controls are in compliance with any new regulatory or legal requirements.
In conclusion, determining which NIST SP 800-53 controls to comply with requires a thorough risk assessment, the development of a risk management strategy, the selection of controls based on the strategy, tailoring the control baselines, and keeping the controls up to date. Compliance with NIST SP 800-53 controls helps organizations mitigate risks effectively and efficiently and establishes a level of security due diligence.
How to achieve NIST 800-53 compliance?
NIST SP 800-53 provides a comprehensive framework of security and privacy controls for organizations to implement to ensure the confidentiality, integrity, and availability of their sensitive data. Achieving NIST 800-53 compliance can seem daunting, but by following these best practices, organizations can effectively select and implement appropriate security controls and policies.
- Identify your sensitive data: The first step to achieving NIST 800-53 compliance is to identify your sensitive data. This includes data that is transmitted, maintained, received, or stored by your organization. This data can be spread across multiple systems and applications, so it's important to thoroughly assess all aspects of your organization's data management.
- Classify sensitive data: Once you have identified your sensitive data, it's crucial to categorize and label it according to its value and sensitivity. This will allow you to assign an impact value (low, moderate, or high) for each security objective (confidentiality, integrity, and availability) and categorize it at the highest impact level. FIPS 199 provides appropriate security categories and impact levels that relate to your organizational goals, mission, and business success. Automating discovery and classification can streamline the process and ensure consistent, reliable results.
- Evaluate your current level of cybersecurity with a risk assessment: Conducting a risk assessment is essential for evaluating your current level of cybersecurity. This involves identifying risks, assessing the probability of their occurrence and their potential impact, taking steps to remediate the most serious risks, and then assessing the effectiveness of those steps. Risk assessment helps to prioritize security and privacy controls based on their potential impact.
- Document a plan to improve your policies and procedures: Selecting controls based on your specific business needs is critical to achieving NIST 800-53 compliance. The extent and rigor of the selection process should be proportional to the impact level of the risk being mitigated. It's important to document your plan and the rationale for each choice of control and policy. This documentation will serve as a record of compliance efforts and can help identify gaps in controls.
- Provide ongoing employee training: Education and training are essential components of achieving and maintaining NIST 800-53 compliance. Educating all employees on access governance and cybersecurity best practices, such as how to identify and report malware, will help ensure compliance and mitigate the risks of security incidents.
- Make compliance an ongoing process: Achieving NIST 800-53 compliance is an ongoing process that requires constant vigilance. Once you have brought your system into compliance, maintain and improve your compliance with regular system audits, especially after a security incident. Regular audits help to identify potential vulnerabilities and gaps in controls.
In conclusion, achieving NIST 800-53 compliance requires a thorough understanding of an organization's sensitive data and the risks associated with it. By following these best practices, organizations can effectively select and implement appropriate security controls and policies to protect their sensitive data and maintain compliance with NIST 800-53.
How to prepare for a NIST audit: Checklist
Preparing for a NIST audit involves a thorough understanding of the NIST security controls and compliance requirements. By following a checklist of tasks and actions, organizations can ensure they are adequately prepared for the audit process. Here are some key steps and considerations to include in your preparation:
- Familiarize yourself with NIST security controls: Understand the specific security control families outlined in NIST 800-53 and the corresponding control baselines for your organization's systems.
- Conduct a risk assessment: Identify potential vulnerabilities and threats that could impact your organization's information systems. Determine the impact level of each risk and prioritize mitigation efforts accordingly.
- Implement security controls: Select and implement the necessary security controls to address identified risks. Ensure that all control requirements are met and adequately documented.
- Develop a plan of action: Create a comprehensive plan of action that outlines how your organization will address any identified control deficiencies or weaknesses. Include timelines, responsible parties, and specific actions to be taken.
- Train employees: Provide training to employees on the importance of NIST compliance and the role they play in maintaining security. Ensure that employees are aware of their responsibilities and understand proper security procedures.
- Review and update policies and procedures: Regularly review and update your organization's security policies and procedures to align with NIST requirements. This ensures that your security program remains current and effective.
- Conduct internal audits and self-assessments: Regularly assess your organization's compliance with NIST security controls through internal audits and self-assessments. This will help identify any gaps or areas for improvement before the official NIST audit.
By following this checklist and taking proactive steps to implement and maintain NIST security controls, organizations can better prepare for a NIST audit and ensure compliance with established standards. Consider leveraging tools like 6clicks, which provide a risk and compliance platform specifically designed to support NIST compliance efforts.
NIST, FedRAMP, and FISMA: how are they related?
NIST (National Institute of Standards and Technology), FedRAMP (Federal Risk and Authorization Management Program), and FISMA (Federal Information Security Management Act) are all interconnected and play crucial roles in ensuring security for federal information systems and organizations.
NIST SP 800-53 serves as the foundation for both FedRAMP and FISMA. This publication provides a catalog of security and privacy controls for information systems and organizations. FedRAMP specifically utilizes NIST 800-53 controls as the basis for assessing and authorizing cloud service providers (CSPs) that provide services to federal agencies. This ensures that CSPs meet the necessary security requirements to protect sensitive government data in the cloud.
On the other hand, FISMA requires federal agencies and other organizations to develop and implement information security controls based on NIST SP 800-53. This ensures that federal agencies and organizations have appropriate security measures in place to protect their information systems and data from threats and vulnerabilities.
To achieve compliance, cloud service providers undergo the FedRAMP certification process, which involves an assessment of their security controls and practices against the NIST 800-53 controls. Once certified, CSPs must undergo an annual reassessment to ensure ongoing compliance with the established security standards. Similarly, federal agencies and organizations subject to FISMA also must regularly reassess their information security controls based on NIST 800-53 to maintain compliance and mitigate risks.
In summary, NIST provides the foundation for both FedRAMP and FISMA, with FedRAMP focusing on cloud service providers and FISMA on federal agencies and organizations. Compliance involves adhering to the NIST 800-53 controls, with ongoing assessments and reassessments to maintain security and mitigate potential risks.
What are NIST special publications?
The National Institute for Standards and Technology publishes standards, guidelines, recommendations, and research on data and information systems security and privacy.
Intended primarily for federal agencies and their third-party service providers, vendors, and contractors, NIST publications can be a useful resource for any organization establishing or maintaining a cybersecurity system.
Compliance with NIST 800-53, for example, is essential for organizations striving to meet FISMA requirements.
NIST provides a complete compendium of all its publications on the nist.gov website. Overall, the NIST technical publication series comprises
- Federal Information Processing Standards (FIPS): Security standards
- NIST Special Publications: Guidelines, recommendations and reference materials
- NIST Internal or Interagency Reports: Reports of research findings, including background information for FIPS and SPs
- NIST Information Technology Laboratory (ITL) Bulletins: Monthly overviews of NIST’s security and privacy publications, programs and projects
NIST has hundreds of special publications. They fall into three categories:
- SP 800 — Computer security
- SP 1800 — Cybersecurity practice guides
- SP 500 — Information technology (relevant documents)
The NIST glossary defines its special publications this way: A type of publication issued by NIST. Specifically, the NIST Special Publication 800 series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
NIST 800-series special publications include guidelines for establishing and maintaining information security programs, security controls, risk management guidance, technical information, and more. Here we’ve listed all the current NIST 800-series publications (except annual reports), starting with the most recent.
Final NIST 800 publications
- NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information
- NIST SP 800-171 Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation
- NIST SP 800-160 Vol. 2 Developing Cyber Resilient Systems: A Systems Security Engineering Approach
- NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems
- NIST SP 800-52 Rev. 2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
- NIST SP 800-204 Security Strategies for Microservices-based Application Systems
- NIST SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations
- NIST SP 800-133 Rev. 1 Recommendation for Cryptographic Key Generation
- NIST SP 800-205 Attribute Considerations for Access Control Systems
- NIST SP 800-57 Part 2 Rev. 1 Recommendation for Key Management: Part 2—Best Practices for Key Management Organizations
- NIST SP 800-163 Rev. 1 Vetting the Security of Mobile Applications
- NIST SP 800-56B Rev. 2 Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography
- NIST SP 800-131A Rev. 2 Transitioning the Use of Cryptographic Algorithms and Key Lengths
- NIST SP 800-177 Rev. 1 Trustworthy Email
- NIST SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- NIST SP 800-116 Rev. 1 Guidelines for the Use of PIV Credentials in Facility Access
- NIST SP 800-125A Rev. 1 Security Recommendations for Server-based Hypervisor Platforms
- NIST SP 800-202 Quick Start Guide for Populating Mobile Test Devices \
- NIST SP 800-193 Platform Firmware Resiliency Guidelines
- NIST SP 800-87 Rev. 2 Codes for Identification of Federal and Federally-Assisted Organizations
- NIST SP 800-56C Rev. 1 Recommendation for Key-Derivation Methods in Key-Establishment Schemes
- NIST SP 800-56A Rev. 3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
- NIST SP 800-160 Vol. 1 Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
- NIST SP 800-70 Rev. 4 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
- NIST SP 800-126 Rev. 3 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3
- NIST SP 800-126A SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3
- NIST SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation
- NIST SP 800-187 Guide to LTE Security
- NIST SP 800-63A Digital Identity Guidelines: Enrollment and Identity Proofing
- NIST SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management
- NIST SP 800-63C Digital Identity Guidelines: Federation and Assertions
- NIST 800-63-3 Digital Identity Guidelines
- NIST SP 800-67 Rev. 2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
- NIST SP 800-190 Application Container Security Guide
- NIST SP 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework
- NIST SP 800-192 Verification and Test Methods for Access Control Policies/Models
- NIST SP 800-12 Rev. 1 An Introduction to Information Security
- NIST SP 800-121 Rev. 2 Guide to Bluetooth Security
- NIST SP 800-185 SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
- NIST SP 800-184 Guide for Cybersecurity Event Recovery
- NIST SP 800-179 Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist
- NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication
- NIST SP 800-150 Guide to Cyber Threat Information Sharing
- NIST SP 800-178 A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
- NIST SP 800-175A Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies
- NIST SP 800-175B Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
- NIST SP 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
- NIST SP 800-114 Rev. 1 User’s Guide to Telework and Bring Your Own Device (BYOD) Security
- NIST SP 800-183 Networks of ‘Things’
- NIST SP 800-166 Derived PIV Application and Data Model Test Guidelines
- NIST SP 800-156 Representation of PIV Chain-of-Trust for Import and Export
- NIST SP 800-85A-4 PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
- NIST SP 800-38G Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
- NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
- NIST SP 800-73-4 Interfaces for Personal Identity Verification
- NIST SP 800-57 Part 1 Rev. 4 Recommendation for Key Management, Part 1: General
- NIST SP 800-152 A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)
- NIST SP 800-167 Guide to Application Whitelisting
- NIST SP 800-79-2 Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)
- NIST SP 800-90A Rev. 1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
- NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security
- NIST SP 800-78-4 Cryptographic Algorithms and Key Sizes for Personal Identity Verification
- NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations
- NIST SP 800-57 Part 3 Rev. 1 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
- NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials
- NIST SP 800-53A Rev. 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
- NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
- NIST SP 800-147B BIOS Protection Guidelines for Servers
- NIST SP 800-168 Approximate Matching: Definition and Terminology
- NIST SP 800-101 Rev. 1 Guidelines on Mobile Device Forensics
- NIST SP 800-81-2 Secure Domain Name System (DNS) Deployment Guide
- NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems
- NIST SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies
- NIST SP 800-83 Rev. 1 Guide to Malware Incident Prevention and Handling for Desktops and Laptops
- NIST SP 800-76-2 Biometric Specifications for Personal Identity Verification
- NIST SP 800-124 Rev. 1 Guidelines for Managing the Security of Mobile Devices in the Enterprise
- NIST SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
- NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments
- NIST SP 800-107 Rev. 1 Recommendation for Applications Using Approved Hash Algorithms
- NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide
- NIST SP 800-146 Cloud Computing Synopsis and Recommendations
- NIST SP 800-126 Rev. 2 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2
- NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs)
- NIST SP 800-135 Rev. 1 Recommendation for Existing Application-Specific Key Derivation Functions
- NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing
- NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
- NIST SP 800-145 The NIST Definition of Cloud Computing
- NIST SP 800-147 BIOS Protection Guidelines
- NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
- NIST SP 800-51 Rev. 1 Guide to Using Vulnerability Naming Schemes
- NIST SP 800-126 Rev. 1 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
- NIST SP 800-125 Guide to Security for Full Virtualization Technologies
- NIST SP 800-119 Guidelines for the Secure Deployment of IPv6
- NIST SP 800-132 Recommendation for Password-Based Key Derivation: Part 1: Storage Applications
- NIST SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems
- NIST SP 800-38A Addendum Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
- NIST SP 800-142 Practical Combinatorial Testing
- NIST SP 800-22 Rev. 1a A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
- NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
- NIST SP 800-38E Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices
- NIST SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions (Revised)
- NIST SP 800-41 Rev. 1 Guidelines on Firewalls and Firewall Policy
- NIST SP 800-102 Recommendation for Digital Signature Timeliness
- NIST SP 800-106 Randomized Hashing for Digital Signatures
- NIST SP 800-66 Rev. 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
- NIST SP 800-60 Vol. 1 Rev. 1 Guide for Mapping Types of Information and Information Systems to Security Categories
- NIST SP 800-60 Vol. 2 Rev. 1 Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices
- NIST SP 800-123 Guide to General Server Security
- NIST SP 800-55 Rev. 1 Performance Measurement Guide for Information Security
- NIST SP 800-113 Guide to SSL VPNs
- NIST SP 800-28 Version 2 Guidelines on Active Content and Mobile Code
- NIST SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
- NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
- NIST SP 800-44 Version 2 Guidelines on Securing Public Web Servers
- NIST SP 800-95 Guide to Secure Web Services
- NIST SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
- NIST SP 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems
- NIST SP 800-100 Information Security Handbook: A Guide for Managers
- NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS)
- NIST SP 800-45 Version 2 Guidelines on Electronic Mail Security
- NIST SP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
- NIST SP 800-96 PIV Card to Reader Interoperability Guidelines
- NIST SP 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications
- NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
- NIST SP 800-92 Guide to Computer Security Log Management
- NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
- NIST SP 800-85B PIV Data Model Test Guidelines
- NIST SP 800-18 Rev. 1 Guide for Developing Security Plans for Federal Information Systems
- NIST SP 800-77 Guide to IPsec VPNs
- NIST SP 800-58 Security Considerations for Voice Over IP Systems
- NIST SP 800-72 Guidelines on PDA Forensics
- NIST SP 800-35 Guide to Information Technology Security Services
- NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
- NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
- NIST SP 800-49 Federal S/MIME V3 Client Profile
- NIST SP 800-47 Security Guide for Interconnecting Information Technology Systems
- NIST SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques
- NIST SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
- NIST SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
- NIST SP 800-16 Information Technology Security Training Requirements: a Role- and Performance-Based Model
- NIST SP 800-15 MISPC Minimum Interoperability Specification for PKI Components, Version 1
Draft NIST 800 special publications
- NIST SP 1800-26 Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
- NIST SP 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
- NIST SP 800-204A Building Secure Microservices-based Applications Using Service-Mesh Architecture
- NIST SP 800-137A Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment
- NIST SP 800-208 Recommendation for Stateful Hash-Based Signature Schemes
- NIST SP 800-186 Recommendations for Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters
- NIST SP 800-140A CMVP Documentation Requirements: CMVP Validation Authority Updates to ISO/IEC 24759
- NIST SP 800-140D CMVP Approved Sensitive Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759:2014(E)
- NIST SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation Authority Updates to ISO/IEC 24759:2014(E)
- NIST SP 800-140 FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759
- NIST SP 800-140B CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B
- NIST SP 800-140C CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759
- NIST SP 800-140E CMVP Approved Authentication Mechanisms: CMVP Validation Authority Requirements for ISO/IEC 19790:2012 Annex E and ISO/IEC 24579:2017
- NIST SP 800-57 Part 1 Rev. 5 Recommendation for Key Management: Part 1—General
- NIST SP 800-207 Zero Trust Architecture
- NIST SP 800-175B Rev. 1 Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
- NIST SP 800-77 Rev. 1 Guide to IPsec VPNs
- NIST SP 800-171B Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
- NIST SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-38G Rev. 1 Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
- NIST SP 800-179 Rev. 1 Guide to Securing Apple macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist
- NIST SP 800-71 Recommendation for Key Establishment Using Symmetric Block Ciphers
- NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-188 De-Identifying Government Datasets (2nd Draft)
- NIST SP 800-90C Recommendation for Random Bit Generator (RBG) Constructions
- NIST SP 800-154 Guide to Data-Centric System Threat Modeling
- NIST SP 800-180 NIST Definition of Microservices, Application Containers and System Virtual Machines
- NIST SP 800-85B-4 PIV Data Model Test Guidelines
- NIST SP 800-164 Guidelines on Hardware-Rooted Security in Mobile Devices
- NIST SP 800-94 Rev. 1 Guide to Intrusion Detection and Prevention Systems (IDPS)
- NIST SP 800-155 BIOS Integrity Measurement Guidelines