The National Institute of Standards and Technology — NIST — is one of the most important, yet least-understood, Federal agencies. NIST has one overarching goal: set tech standards for every technological industry. This helps to ensure that every enterprise has the chance to compete in the marketplace of ideas and capitalism. 

For instance, over the past 30 years, as computers have gotten more prevalent, scientists at NIST have worked with private companies to standardize USB ports and connectors. By setting one standard for USBs, any manufacturer can follow those guidelines and make their own connected devices that will work in just about every computer manufactured today.

NIST is also involved in setting cybersecurity standards. They came up with the 800 series of  special publications alongside the DoD which set standard security programs and standards for secure computing, including but not limited to: access and control; configuration management, contingency planning, and more. The most well known of the NIST SP 800 series are 53 and 171.

Wikipedia has the best definition of SP 800-53: 

[It] covers the steps which address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 18 areas including access control, incident response, business continuity, and disaster recoverability.  

NIST provides a summary overview of SP 800-171:

[It] provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry.

While these publications are directed specifically at organizations which do business with the Federal Government, the principles are applicable for all organizations.  They lay the groundwork for solid cybersecurity hygiene and provide a basis and starting point for organizations to say, “Yes, we are operating in a safe and secure manner.”

In our next blog post, I am going to explain how you implement ITSM and layer the NIST framework on top of it to form the basis for secure operations within every organization.