 
        A Guide to NIST Standards and Frameworks
As a general best practice, organizations of all sizes try to adhere to widely accepted security standards and frameworks. This piece details key NIST frameworks and provides an overview for adoption to improve your organization’s security posture.
What are NIST Frameworks?
NIST is a non-regulatory agency that works alongside industry and academia to offer guidance in many disciplines and technologies which include managing and reducing cybersecurity risks. NIST frameworks are designed to bring uniformity to cybersecurity and limit risk, while promoting innovation by advancing and improving security quality standards. NIST continues to add new security documents to provide valuable infosec guidance, such as it’s Zero Trust Architecture framework, and Supply Chain Risk Management (see below) along with working to aid small businesses and emerging technologies.
Key NIST security frameworks are outlined below.
NIST Cybersecurity Framework (CSF)
A key security document, the NIST Cybersecurity Framework is designed to encourage organizations to align and prioritize cybersecurity activities with business/mission requirements. Adopting the CSF has been invaluable in helping security teams assess and identify cybersecurity risks as part of a standardized risk management process.
Federal agencies and their contractors must comply with NIST’s CSF. Private sector businesses are not required to comply with NIST standards, but there are many benefits to doing so. Organizations of any size, and any degree of security risk or sophistication, can use this framework to improve their security and resilience. A powerful, flexible framework, many major organizations and agencies use guidance from NIST’s CSF as a security standard.
NIST Risk Management Framework (RMF)
NIST’s Risk Management Framework was designed to integrate security, privacy, and supply chain management issues into the development life cycle of a system or environment. The framework can be applied to new systems and legacy systems, and to any type of technology within an organization. The RMF provides a comprehensive, flexible, repeatable and measurable seven-step process that any organization can use to manage information security and privacy risk. Fully reinforcing risk management across an organization’s functions, the RMF links to a suite of supporting NIST standards and guidelines.
NIST Privacy Framework (PF)
The NIST Privacy Framework improves privacy through enterprise risk management. A voluntary framework, the PF helps organizations consider critical questions including:
- Do we consider the privacy impacts to individuals as we develop our systems, products, and services?
- Do we manage privacy risks in a consistent way?
- Does our privacy program adapt to organization needs and current regulatory requirements?
The PF supports ethical decision-making in product design and deployment and optimizes beneficial uses of data while minimizing adverse consequences. NIST’s Privacy Framework is a flexible and practical tool that is adaptable to any organization's role in the data processing ecosystem.
A helpful related NIST privacy document, the new NIST SP 800-53B, Control Baselines for Information Systems and Organizations contains three security baselines and one privacy baseline established for federal agencies to support their specific requirements.
NIST Controlled Unclassified Information (CUI) Framework
NIST’s CUI Framework 800-171 is a subset of requirements taken directly from the NIST Privacy Framework 800-53 publication that specifically apply to controlled unclassified information shared by the federal government with a non-federal entity. The controls protect CUI in non-federal IT systems from unauthorized disclosure. The CUI provides guidance to ensure certain types of federal information are protected when processed, stored, and used in non-federal information systems.
The CUI framework is beneficial as it standardizes methods for U.S. government agencies and the military to handle unclassified information requiring safeguarding and promotes authorized information-sharing.
READ: Creating NIST-Compliant CUI Data Flows
NIST Cyber Supply Chain Risk Management (C-SCRM)
Supply chains are becoming increasingly complex, which makes them prime targets for cybercriminals. NIST’s Cyber Supply Chain Risk Management Framework helps organizations to reduce the cybersecurity risks in their supply chains and highlights any increased security risks an organization’s supply chain. C-SCRM provides a process of identifying, assessing, and mitigating the risks associated with the interconnection of IT and OT product and service supply chains.
C-SCRM frameworks help to decrease the chances of supply chain incident by improving an organization’s ability to effectively detect, respond, and recover from security incidents that could result in significant business disruptions.
NIST security framework adoption within your organization should be considered a long-term, iterative process implemented gradually. While they can be challenging to implement, NIST frameworks are a valuable investment significantly bolstering the security maturity of your organization, regardless of stage.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
