Here’s How to Tailor NIST Cybersecurity Guidance to Your Unique Needs

Last Updated on January 13, 2024

The US National Institute of Standards and Technology (NIST) is the organization that develops all kinds of standards and guidelines for US federal government entities, as well as comprehensive guidance for voluntary public sector use. NIST cybersecurity publications are leveraged worldwide and inform a wide range of regulations and frameworks, such as ISO 27001 and ISO 27701.

But the security experts at NIST have a tough row to hoe: creating security guidance that is applicable not only across the incredibly diverse missions of massive US federal agencies like NASA, the Department of Homeland Security, the Department of Justice and the Department of Agriculture, but also businesses of any size, serving every conceivable industry from healthcare to financial services to retail.

As Dr. Ron Ross, who leads development of NIST’s information security and privacy publications, shared on a recent episode of The Virtual CISO Podcast, a one-size-fits-all approach was rejected at the outset: “You almost had to go down a road like we did, where you have a very large, broad set of safeguards and countermeasures, but the ability to give some guidance initially on where you think they ought to start. From there, you empower the agencies or the private sector companies to customize as they see fit. That’s the power of risk management and that’s missed by a lot of people, unfortunately.” 
For example, NIST maintains a colossal catalog of security controls. But the majority of these would be optional, if not downright redundant, for most organizations. As a starting point for identifying which controls to implement, NIST developed three different control baselines that map to low-, medium- and high-impact risk categories for your data. 

To support more effective cybersecurity implementations, the US government now defines just three basic “buckets” where your data would fall: 

1. Classified Information, which is controlled by statute 
2. Controlled Unclassified Information (CUI) 
3. Everything else

You can protect all of those different data types with the appropriate security controls in NIST SP 800-53. But there’s a flip side to this simplicity: you can end up with a lot of data or system types at the same risk level, typically medium/moderate impact.  
For example, Dr. Ross notes that, according to the Office of Management and Budget (OMB), about 70% of US federal systems are moderate impact systems, which is the level corresponding to handling CUI. But are those thousands of systems all really equal in terms of criticality or sensitivity?
Once again, NIST to the rescue. “It turns out you can actually use FIPS 199 [Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems] kind of recursively,” clarifies Dr. Ross. “You can go take those moderate systems and you can do another FIPS 199 categorization, so to speak, by defining all of your modern systems as low-moderate, moderate-moderate, and high–moderate.”
Thanks to that second level of categorization, you can better tailor your controls, and/or put more focus on the higher-risk environments.  
If you need to understand any cybersecurity framework in detail, be sure to catch this show with Dr. Ron Ross on how to make NIST publications work for you.  
To listen to this show, and also peruse our large and growing array of information security podcasts, you can subscribe to The Virtual CISO Podcast here.  
If you don’t use Apple Podcasts, you can access all our episodes here.  

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.

Download Now!