NIST Security Controls

NIST Security Controls

The NIST (National Institute of Standards and Technology) Security Controls were instituted to support information systems’ ability to stay secure and resilient amid evolving threats and work to maintain the confidentiality, integrity, and overall security of federal and industry information systems.

NIST Security Controls

The NIST (National Institute of Standards and Technology) Security Controls were instituted to support information systems’ ability to stay secure and resilient amid evolving threats and work to maintain the confidentiality, integrity, and overall security of federal and industry information systems.

NIST controls can be found in security frameworks such as the payment card industry data security standard (PCI DSS), the HIPAA Security Rule, FDIC and SEC security requirements, Sarbanes Oxley (SOX) for publicly traded companies, and more. They are typically classified as coming from one of 18 different families:

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Contingency Planning
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical and Environmental Protection
  12. Planning
  13. Program Management
  14. Risk Assessment
  15. Security Assessment and Authorization
  16. System and Communications Protection
  17. System and Information Integrity
  18. System and Services Acquisition

Business leaders and cyber professionals must maintain a comprehensive understanding of NIST security controls, how they work and where responsibilities fall in terms of managing cybersecurity risk within an organization to maintain compliance.

The NIST Cybersecurity Framework

Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, in February 2013, President Barack Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines and practices – for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role.

Created through collaboration between industry and government, the framework consists of standards, guidelines and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable and cost-effective approach of the framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

NIST 800-171 & 800-53

The Department of Defense mandates that all contractors, subcontractors and vendors in the supply chain implement a set of requirements designed to ensure the protection of Controlled Unclassified Information (CUI) on non-government networks.

The protection of Controlled Unclassified Information (CUI) residing in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. NIST 800-171 provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in non-federal systems; when the non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation or governmentwide policy for the CUI category or subcategory listed in the CUI registry.

The security requirements apply to all components of nonfederal systems and organizations that process, store or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

NIST 800-171 is shorter and simpler than the full NIST 800-53 control family. While the full NIST 800-53 rev 4 contains 965 controls from 18 control families that may be relevant depending on data sensitivity and classification, the NIST 800-171 publication consists of a total of 110 controls from 14 of the 18 NIST control families.

InfoSystems can help.

NIST security controls are part of an always-evolving set of guidelines that are subject to revision and updates as cyber threats dictate. The most recent revisions implement a proactive and systematic approach to address threats to various computing platforms, including mobile and cloud platforms, Internet of Things (IoT) devices, and other cyber-physical systems. 

All businesses  are encouraged to comply with NIST security controls and the cybersecurity framework and be proactive in managing their security systems. InfoSystems proudly assists companies in various industries in achieving and maintaining NIST 800-171 and 800-53 compliance.

InfoSystems’ cybersecurity principals are simple.

Be your trusted compliance and risk program advisor

Deliver cost-effective technology to reduce enterprise-wide risk

Provide expert services to complement internal IT teams

Detect and respond to threats on your organization's behalf

Bring information security leadership to businesses of all sizes

NEWS + EVENTS

HAVE A PROJECT YOU'D LIKE TO DISCUSS?