NIST Framework

The National Institute of Standards and Technology(NIST) instituted the 800 Series Special Publications relating to Information Security in 1990 and has issued dozens of guidelines over that time frame in collaboration with industry, government, and academic organizations. While NIST guidance is most commonly associated with FISMA and Federal Government usage – these standards have been widely leveraged outside of the Federal Government. For example, most non-federal government entities have some form of Security Certification & Accreditation policy that is aligns with or borrows heavily from NIST 800-37.

NIST Resources

Pivot Point Security’s ISMS practice area has worked extensively with the following NIST guidance:

NIST Title/Link Usage
SP 800-37SP 800-53

SP 800-30

SP 800-37

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
sp800-37-rev1-final.pdf Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
sp800-53A-rev1-final.pdf DRAFT Guide for Conducting Risk Assessments
SP800-30-Rev1-ipd.pdf Guide for Developing Security Plans for Federal Information Systems
sp800-18-Rev1-final.pdf Security Considerations in the System Development Life Cycle
Leverage this guidance in our Security Certification & Accreditation Practice predominantly for large scale government projects
SP 800-153SP 800-120 DRAFT Guidelines for Securing Wireless Local Area Networks (WLANs)
Draft-SP800-153.pdf Recommendation for EAP Methods Used in Wireless Network Access Authentication
Leverage this guidance when conducting WLAN Surveys &  Configuration reviews in the government, utilities, and private sectors
SP 800-144SP 800-145

SP 800-146

DRAFT Cloud Computing Synopsis and Recommendations
Draft-NIST-SP800-146.pdf A NIST Definition of Cloud Computing
SP800-145.pdf DRAFT Guidelines on Security and Privacy in Public Cloud Computing
Leverage this guidance in the assessment of a County’s Private Cloud Offering
SP 800-137SP 800-128 Information Security Continuous Monitoring for Federal Information Systems and Organizations
SP800-137-Final.pdf Guide for Security-Focused Configuration Management of Information Systems
Leverage this guidance in our 27001 Practice Area to support ISMS metricizing/monitoring
800-133+SP 800-82

SP 800-127

Assorted Cryptographic Key Management and Hashing SP’sGuide to Securing WiMAX Wireless Communications
sp800-127.pdf Guide to Industrial Control Systems (ICS) Security
Leverage during reviews of  Wireless Distribution Networks in Utilities transiting DNP3/SCADA traffic
SP 800-125 Guide to Security for Full Virtualization Technologies
Leverage this guidance in performing a design review of a State entity’s VM migration
SP 800-124SP 800-121

SP 800-111

Guidelines on Cell Phone and PDA Security
SP800-124.pdf DRAFT Guide to Bluetooth Security
Draft-SP800-121_Rev1.pdf Guide to Storage Encryption Technologies for End User Devices
Leverage this guidance in performing mobile device security gap assessments for multiple health-care organizations
SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Leverage this guidance in all of our PII focused Gap Assessments
SP 800-115 Technical Guide to Information Security Testing and Assessment
Leverage this guidance in multiple Third Party Attestation focused Security Assessments
SP 800-95 Guide to Secure Web Services
Leverage this guidance in multiple SOA-focused Design Reviews in the government sector