November 24, 2020

Last Updated on January 13, 2024

The US National Institute of Standards and Technology (NIST) is the organization that develops all kinds of standards and guidelines for US federal government entities, as well as comprehensive guidance for voluntary public sector use. NIST cybersecurity publications are leveraged worldwide and inform a wide range of regulations and frameworks, such as ISO 27001 and ISO 27701.

But the security experts at NIST have a tough row to hoe: creating security guidance that is applicable not only across the incredibly diverse missions of massive US federal agencies like NASA, the Department of Homeland Security, the Department of Justice and the Department of Agriculture, but also businesses of any size, serving every conceivable industry from healthcare to financial services to retail.

As Dr. Ron Rosswho leads development of NIST’s information security and privacy publications, shared on a recent episode of The Virtual CISO Podcasta one-size-fits-all approach was rejected at the outset: “You almost had to go down a road like we did, where you have a very large, broad set of safeguards and countermeasures, but the ability to give some guidance initially on where you think they ought to start. From there, you empower the agencies or the private sector companies to customize as they see fit. That’s the power of risk management and that’s missed by a lot of people, unfortunately. 
For example, NIST maintains a colossal catalog of security controls. But the majority of these would be optional, if not downright redundant, for most organizations. As a starting point for identifying which controls to implement, NIST developed three different control baselines that map to low-, medium- and high-impact risk categories for your data. 

Dr. Ross explains: “The idea was that once an agency or company completes the [data] categorization and do the risk assessment, then they can grab one of those baselines and that’s their starting point for doing what we call tailoring. And the tailoring process is really where you customize those controls. You may take out some of the controls because maybe some technology can’t support certain controls. Or maybe you add a few controls because you know your organization is a target of [an advanced] adversary. So that tailoring process ends up giving you a tailored baseline. And those are the controls that then go into your security plan and that’s what you actually execute to.”



For organizations that have a lot of different data classifications, mapping these to appropriate security categories can be challenging. To help, NIST offers its Special Publication (SP) 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories.
One entity that knows all about too many data classifications is the US federal government. Dr. Ross relates: “If you get too complicated, people aren’t going to be able to implement effectively. 

To support more effective cybersecurity implementations, the US government now defines just three basic buckets where your data would fall: 

  1. Classified Information, which is controlled by statute 
  2. Controlled Unclassified Information (CUI) 
  3. Everything else

You can protect all of those different data types with the appropriate security controls in NIST SP 800-53. But there’s a flip side to this simplicity: you can end up with a lot of data or system types at the same risk level, typically medium/moderate impact.  
For example, Dr. Ross notes that, according to the Office of Management and Budget (OMB), about 70% of US federal systems are moderate impact systems, which is the level corresponding to handling CUI. But are those thousands of systems all really equal in terms of criticality or sensitivity?
Once again, NIST to the rescue. “It turns out you can actually use FIPS 199 [Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systemskind of recursively,” clarifies Dr. Ross. “You can go take those moderate systems and you can do another FIPS 199 categorization, so to speak, by defining all of your modern systems as low-moderate, moderate-moderate, and highmoderate.
Thanks to that second level of categorization, you can better tailor your controls, and/or put more focus on the higher-risk environments.  
If you need to understand any cybersecurity framework in detail, be sure to catch this show with Dr. Ron Ross on how to make NIST publications work for you 
To listen to this show, and also peruseour large and growing array of information security podcasts, you can subscribe to The Virtual CISO Podcast here. 
If you don’t use Apple Podcasts, you can access all our episodes here.