Demonstrate Compliance with NIST 800-53, NIST 800-171, and the NIST CSF
The National Institute for Standards & Technology (NIST) provides a structured set of measurements and standards for a variety of technical disciplines, including cybersecurity. The NIST cybersecurity framework (CSF) is designed to “facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks;” individual NIST special publications 800-53 and 800-171 provide additional guidance for security and privacy controls for federal and non-federal information systems.
Implementing the NIST Cybersecurity Framework
The NIST CSF – formally known as the Framework for Improving Critical Infrastructure Security – outlines a number of standards for handling controlled unclassified information (CUI), such as personnel records, general financial information, budgets, and sensitive personally identifiable information (PII). To protect this information from internal and external threats, the framework covers elements such as:
- Inventory and control of hardware and software assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
- Maintenance, monitoring, and analysis of access logs
- Email and web browser protections
- Malware defenses
- Limitation and control of network ports, protocols, and services
- Data recovery capabilities
- Secure configuration for network devices, including firewalls, routers, and switches
- Boundary defense
- Data protection
- Controlled access
- Wireless access control
- Account monitoring and control
- Security awareness and training programs
- Application software security
- Incident response and management
- Penetration tests and red team exercises
The NIST cybersecurity framework is outcome-driven. It does not prescribe minimum standards for its elements; instead, it allows organizations to decide on their own risk-based implementations.
As a Security partner, we can help!
What Organizations are Required to be NIST-Compliant?
NIST CSF compliance is required for any organization that handles CUI on behalf of the federal government. This can include service providers, manufacturers, research organizations, contractors, and educational organizations – whether they’re a prime contractor or a sub-prime contractor. In order to bid on a federal contract, organizations must implement the controls set forth in the NIST cybersecurity framework, then maintain these controls throughout the duration of the contract. Organizations that do not maintain compliance will be removed from projects and removed from the federal government’s list of approved contractors.