National Institute of Standards and Technology (NIST)

NIST is a U.S. Department of Commerce agency that promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology.
NIST develops cybersecurity frameworks, standards, and guidelines to help organisations manage risks, protect systems, and comply with regulations; it does not enforce compliance.
NIST does the following:
- Develops Standards and Frameworks: NIST creates comprehensive guidelines and frameworks, e.g., NIST Cybersecurity Framework (CSF), to help organisations effectively manage their cybersecurity risks.
- Provides Control Guidelines: Such as the Special Publication 800-53, which provides a robust set of security and privacy controls that organisations can implement to protect their information systems.
- Facilitates Risk Management: The frameworks and guidelines provided by NIST enable organisations to identify vulnerabilities, mitigate risks, and build a proactive approach to cybersecurity
- Supports Compliance Efforts: The NIST standards and frameworks help organisations meet legal and regulatory requirements by providing a structured approach to security management and data protection

A set of comprehensive guidelines and best practices developed by the National Institute of Standards and Technology to manage cybersecurity risk.

Core Functions

Identify - Understand the organisational context, assets, and risks
Protect - Implement safeguards to ensure service delivery
Detect - Develop activities to identify cybersecurity events
Respond - Take action regarding detected incidents
Recover - Restore capabilities after a cybersecurity event.

Implementation Tiers

Tier 1: Partial
Tier 2: Risk-Informed
Tier 3: Repeatable
Tier 4: Adaptive

Foundational Frameworks

NIST Cybersecurity Framework (CSF) - NIST CSF 2.0

Provides a voluntary, risk-based framework for organizations to identify, protect, detect, respond to, and recover from cybersecurity threats. Widely used across industries.

NIST Privacy Framework

Companion to the CSF, focused on helping organizations identify and manage privacy risks in data processing while aligning with business and compliance needs.

Special Publications

Risk Management and Security Controls

NIST SP 800-37 - Risk Management Framework (RMF)

Defines a structured process for integrating security, privacy, & risk management into the system development lifecycle (SDLC).

NIST SP 800-53 - Security and Privacy Controls for Information Systems

A catalogue of security and privacy controls for federal information systems & organisations, adaptable to non-federal use.

NIST SP 800-53B - Control Baselines for Information Systems

Provides baseline control sets for different impact levels (low, moderate, high) to simplify implementation.

NIST SP 800-39 Managing Information Security Risk

Guidance on organisation-wide risk management strategy, including governance and oversight.

Incident Response and Monitoring

NIST SP 800-61 (Rev. 2) - Computer Security Incident Handling Guide

Offers best practices for establishing and maintaining effective incident response capabilities.

NIST SP 800-137 - Information Security Continuous Monitoring (ISCM)

Guidance on maintaining ongoing awareness for information security, vulnerabilities, and threats.

Identity and Access Management (IAM)

NIST SP 800-63 - Digital Identity Guidelines

Covers identity proofing, authentication, and lifecycle management, including multifactor authentication and identity assurance levels.

Cybersecurity for Critical Infrastructure and Supply Chain

NIST SP 800-161 - Cybersecurity Supply Chain Risk Management

Recommendations for managing risks associated with the supply chain for ICT products and services.

Data Protection and Privacy

NIST SP 800-122 - Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Guidance for safeguarding PII through identification, minimisation, and protection practices.

NIST SP 800-144 - Guidelines on Security and Privacy in Public Cloud Computing

Provides security and privacy considerations when using public cloud services.

NIST SP 800-207 - Zero Trust Architecture

Guidance for implementing zero trust principles to improve cybersecurity and privacy posture.

Specialised Guidance

NIST SP 1800 - NIST Cybersecurity Practice Guides

Practical, “How-to” guides for implementing and applying standards-based cybersecurity solutions.

FIPS 199 - Security Categorisation

Categorise systems by impact levels for Confidentiality, Integrity, Availability (Low/Moderate/High) to drive baseline selection and due diligence.

FIPS 200 — Minimum Security Requirements

Defines the minimum due diligence requirements across 17 areas aligned with 800‑53 families.

Page updated

Google Sites

Report abuse