Definition and purpose

The NIST 800-115 provides organizations with a comprehensive overview and guidance on how to perform security testing and assessments. The document is meant to give organizations a structured approach to identify vulnerabilities and weaknesses in their information systems, to validate the effectiveness of security measures, and to ensure compliance with security policies and regulations.

Governing Body

The National Institute of Standards and Technology (NIST) is the governing body responsible for the 800 series of publications, including NIST 800-115.

Last updated

The most recent update was released in April 2021.

Applies to

NIST 800-115 applies broadly to any organization or entity that wants to conduct security testing and assessments of its information systems. This includes government agencies, private sector companies, and non-profit organizations. The guidelines are particularly relevant to entities that fall under U.S. federal regulations, but the practices are widely recognized and can be applied in various contexts outside of just the U.S. federal government.

Controls and requirements

NIST 800-115 is a guide, so it does not present a strict set of controls or requirements in the same manner as a compliance standard. Instead, it offers methodologies, techniques, and procedures. Key areas of focus include:

• Security Assessment Planning
• Security Assessment Execution
• Post-Testing Activities
• Vulnerability Scanning
• Security Testing Techniques (including reviews and analyses, assessments, and evaluations)
• Penetration Testing

Each section provides detailed steps, recommendations, and considerations for effectively conducting the respective type of security assessment.

Please refer to the official NIST SP 800-115 publication for more details.

Audit type, frequency, and duration

Since NIST 800-115 is a guide for conducting security assessments and not a compliance standard, it does not dictate specific audit types, frequencies, or durations. 

Instead, organizations would use this guide to inform and structure their own assessment and testing activities. The frequency and duration of these activities would depend on the organization's internal policies, the nature of the information system, and any applicable regulatory requirements.