NIST Framework

The National Institute of Standards and Technology(NIST) instituted the 800 Series Special Publications relating to Information Security in 1990 and has issued dozens of guidelines over that time frame in collaboration with industry, government, and academic organizations. While NIST guidance is most commonly associated with FISMA and Federal Government usage – these standards have been widely leveraged outside of the Federal Government. For example, most non-federal government entities have some form of Security Certification & Accreditation policy that is aligns with or borrows heavily from NIST 800-37.

NIST Resources

Pivot Point Security’s ISMS practice area has worked extensively with the following NIST guidance:

NIST Title/Link Usage
SP 800-37

SP 800-53

SP 800-30

SP 800-37

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans

DRAFT Guide for Conducting Risk Assessments

Guide for Developing Security Plans for Federal Information Systems

Security Considerations in the System Development Life Cycle

Leverage this guidance in our Security Certification & Accreditation Practice predominantly for large scale government projects
SP 800-153

SP 800-120

DRAFT Guidelines for Securing Wireless Local Area Networks (WLANs)

Recommendation for EAP Methods Used in Wireless Network Access Authentication

Leverage this guidance when conducting WLAN Surveys &  Configuration reviews in the government, utilities, and private sectors
SP 800-144

SP 800-145

SP 800-146

DRAFT Cloud Computing Synopsis and Recommendations

A NIST Definition of Cloud Computing

DRAFT Guidelines on Security and Privacy in Public Cloud Computing

Leverage this guidance in the assessment of a County’s Private Cloud Offering
SP 800-137

SP 800-128

Information Security Continuous Monitoring for Federal Information Systems and Organizations

Guide for Security-Focused Configuration Management of Information Systems

Leverage this guidance in our 27001 Practice Area to support ISMS metricizing/monitoring

SP 800-82

SP 800-127

Assorted Cryptographic Key Management and Hashing SP’sGuide to Securing WiMAX Wireless Communications

Guide to Industrial Control Systems (ICS) Security

Leverage during reviews of  Wireless Distribution Networks in Utilities transiting DNP3/SCADA traffic
SP 800-125 Guide to Security for Full Virtualization Technologies
Leverage this guidance in performing a design review of a State entity’s VM migration
SP 800-124

SP 800-121

SP 800-111

Guidelines on Cell Phone and PDA Security

DRAFT Guide to Bluetooth Security

Guide to Storage Encryption Technologies for End User Devices

Leverage this guidance in performing mobile device security gap assessments for multiple health-care organizations
SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Leverage this guidance in all of our PII focused Gap Assessments
SP 800-115 Technical Guide to Information Security Testing and Assessment
Leverage this guidance in multiple Third Party Attestation focused Security Assessments
SP 800-95 Guide to Secure Web Services
Leverage this guidance in multiple SOA-focused Design Reviews in the government sector

NIST Articles