NIST SP 800-53 is just one publication in NIST’s Special Publication (SP) 800 series, which is designed to provide information relevant to the computer security community. Let’s dive into this series below.
What is the NIST 800 series?
The NIST 800 series is a comprehensive collection of cybersecurity standards, guidelines, and best practices published by the National Institute of Standards and Technology (NIST).
Developed to address and support the security and privacy needs of U.S. federal government information and information systems, these documents can help any organization protect their information systems and manage cybersecurity risks.
Let’s take a closer look at the applicability of the NIST 800 series below.
Who should comply with the NIST 800 series?
U.S. federal agencies and organizations working on federal contracts, particularly those handling sensitive government data, are required or encouraged to comply with NIST’s SP-800 series publications. Federal government statutes, regulations, and policies such as FISMA, FedRAMP, and the Office of Management and Budget [OMB] Circular A-130 will specify whether compliance is mandatory or voluntary for federal agencies.
In addition to federal agencies and organizations that work for these agencies or carry federal data, private sector businesses across industries can implement these standards to strengthen their security posture and meet regulatory requirements, such as HIPAA, GDPR, or industry-specific security mandates. NIST 800-53 is considered an industry best practice and is recommended for a strong cybersecurity posture.
Who needs to comply with NIST SP 800-53?
NIST 800-53 is mandatory for federal agencies. Additionally, any organization that works with the federal government or carries federal data may be required to comply with NIST 800-53 (or NIST CSF) to maintain the relationship.
NIST 800-53 is also applicable to a broad base of private sector organizations such as:
- Healthcare providers managing protected health information (PHI).
- Financial institutions seeking to strengthen their cybersecurity resilience.
- Private companies aiming to achieve a competitive advantage through a strong security posture.
The most widely-used NIST 800 standards
NIST 800-53 is a highly regarded standard for information security. An organization that achieves NIST 800-53 compliance can help assure customers, particularly in the public sector, that they are capable of managing risk and protecting information assets. The other standards in the NIST SP-800 series provide additional best practices in data protection and cyber resilience.
There are over 200 documents in the NIST SP-800 series. Below we’ll provide an overview of some of the most important publications that are related to NIST 800-53.
NIST 800-30
Release date: September 2012
NIST 800-30 Revision 1, Guide for Conducting Risk Assessments outlines a risk assessment methodology for federal information systems and organizations. Since risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39, this document is meant to amplify the guidance in NIST 800-39.
In particular, this document:
- Describes each step in the risk assessment process, including preparing for, conducting, communicating the results of, and maintaining the assessment
- Explains how risk assessments and other organizational risk management processes complement and inform each other
- Provides guidance for identifying specific risk factors to monitor on an ongoing basis
NIST 800-34
Release date: May 2010
NIST 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems provides instructions, recommendations, and considerations for recovering federal information system services after a disruption. It defines seven steps as part of the contingency planning process, including to:
- Develop the contingency planning policy statement.
- Conduct the business impact analysis (BIA).
- Identify preventive controls.
- Create contingency strategies.
- Develop an information system contingency plan.
- Ensure plan testing, training, and exercises.
- Ensure plan maintenance.
Recommended reading
How to Create an Incident Response Plan + Template
Read More
NIST 800-37
Release date: December 2018
NIST 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy describes the Risk Management Framework (RMF), a structured but flexible approach to managing information security and privacy risks throughout the system development lifecycle.
Revision 2 of this standard covers key changes to the RMF, including the addition of the Prepare step, to achieve more cost-effective and efficient security and privacy risk management processes.
NIST 800-39
Release date: March 2011
NIST 800-39, Managing Information Security Risk: Organization, Mission, and Information System View is the flagship document in the series of information security standards and guidelines developed by NIST in response to FISMA. It is designed to help organizations build an integrated, organization-wide program for managing information security risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.
While this publication provides a structured, flexible approach for managing risk broadly, other supporting NIST security standards and guidelines get into the more specific details of assessing, responding to, and monitoring risk on an ongoing basis.
NIST 800-60
Release date: August 2008
NIST 800-60 Volume 1 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories is designed to assist organizations in categorizing information and information systems. It aligns with Standards for Security Categorization of Federal Information and Information Systems or Federal Information Processing Standard (FIPS) 199.
Based on those categories, organizations can then identify and apply appropriate controls according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system.
A draft of Revision 2 has been published but not finalized yet.
NIST 800-61
Release date: August 2012
NIST 800-61 Revision 2, Computer Security Incident Handling Guide provides practical guidelines on responding to computer security incidents effectively and efficiently. It focuses on key steps in the incident handling process, including detecting, analyzing, prioritizing, and handling incidents.
A draft of Revision 3 — renamed Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile — has been published but not finalized yet.
NIST 800-63
Release date: June 2017
NIST 800-63 Revision 3, Digital Identity Guidelines is a four-volume suite that defines the technical requirements for federal agencies implementing digital identity services. These requirements span several areas, including identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions. This publication is widely used to establish secure access to online services and protect sensitive user information.
A draft of Revision 4 has been published but not finalized yet.
NIST 800-82
Release date: September 2023
NIST 800-82 Revision 3, Guide to Operational Technology (OT) Security focuses on securing operational technology, which is vital to the operation of U.S. critical infrastructures. OT encompasses a wide range of systems, including industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.
This publication identifies common threats and vulnerabilities for these types of systems, and recommends security countermeasures to mitigate the associated risks. It also includes an OT-specific overlay of applicable NIST SP 800-53 controls that provides tailored baselines for low-impact, moderate-impact, and high-impact OT.
NIST 800-88
Release date: December 2014
NIST 800-88 Revision 1, Guidelines for Media Sanitization outlines best practices for effectively sanitizing and tracking storage media to prevent unauthorized recovery of sensitive information. Sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort.
This publication is designed to help organizations make practical sanitization decisions based on the categorization of confidentiality of their information, and covers a range of techniques like degaussing, encryption, and physical destruction.
NIST 800-115
Release date: September 2008
NIST 800-115, Technical Guide to Information Security Testing and Assessment helps organizations evaluate the effectiveness of their security controls in order to identify any security requirements that are not met as well as other security weaknesses that should be addressed using a range of techniques, including penetration testing, vulnerability scanning, and security audits.
NIST 800-137
Release date: September 2011
NIST 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations focuses on a critical aspect of the risk management process: ongoing monitoring. This publication is designed to help organizations develop a continuous monitoring strategy and implement a program that provides visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls.
NIST 800-145
Release date: September 2011
NIST 800-145, The NIST Definition of Cloud Computing defines key characteristics and service models of cloud computing. It serves as a foundational document for organizations adopting cloud technologies.
NIST 800-160
Release date of Vol 1: November 2022
Release date of Vol 2: December 2021
NIST 800-160 is a two-volume suite including NIST SP 800-160 Vol. 1 Rev. 1, Engineering Trustworthy Secure Systems and NIST SP 800-160 Vol. 2 Rev. 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. While the first volume describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems, the second volume focuses on an emerging specialty discipline that’s also focused on developing survivable, trustworthy secure systems, known as cyber resiliency engineering.
NIST 800-171
Release date: May 2024
NIST 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides recommended security requirements for protecting sensitive government data held by contractors and third parties. These requirements are derived from the controls in NIST 800-53.
NIST 800-172
Release date: February 2021
NIST 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information is a supplement to NIST 800-171. This standard outlines additional controls for protecting highly sensitive information against advanced persistent threats (APTs).
A draft of Revision 3 has been published but not finalized yet.
NIST 800-207
Release date: August 2020
NIST 800-207, Zero Trust Architecture defines the basic principles of zero trust security as well as the logical components, use cases, threats associated with this architecture, and tips for incrementally implementing zero trust principles. This approach emphasizes continuous verification of users, devices, and network activity to prevent unauthorized access in enterprise networks that increasingly encompass remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary.
Another document, NIST SP 800-207A, focuses specifically on developing an architecture that can enforce granular application-level policies while meeting the runtime requirements of zero trust architecture for multi-cloud and hybrid environments.
NIST 800-218
Release date: February 2022
NIST 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities provides a set of best practices for secure software development, helping software producers mitigate vulnerabilities in software supply chains and reduce risks associated with insecure coding practices.
The goal of this framework is three-fold:
- reducing the number of vulnerabilities in released software
- mitigating the potential impact of the exploitation of undetected or unaddressed vulnerabilities
- addressing the root causes of vulnerabilities to prevent future recurrences
FAQs
What is the purpose of the NIST 800 series?
The purpose of the NIST 800 series is to address and support the security and privacy needs of U.S. federal government information and information systems. However, this series is also designed to provide cybersecurity guidelines and recommendations that are applicable to entities outside of the U.S. federal government as well.
Are all NIST 800 standards mandatory?
No, not all NIST 800 standards are mandatory. Federal Government statutes like FISMA, regulations, and policies like OMB Circular A-130 may specify whether federal agencies are required, or encouraged, to comply with certain standards. Most private sector organizations adopt them voluntarily to enhance their security posture, although they may be contractually obligated to do so.
How does NIST 800 benefit private companies?
By implementing certain NIST 800 standards, private companies can reduce cybersecurity risks, improve operational efficiency, and demonstrate compliance with certifications like CMMC, building trust with stakeholders.
