NIST
NIST Framework
The National Institute of Standards and Technology(NIST) instituted the 800 Series Special Publications relating to Information Security in 1990 and has issued dozens of guidelines over that time frame in collaboration with industry, government, and academic organizations. While NIST guidance is most commonly associated with FISMA and Federal Government usage – these standards have been widely leveraged outside of the Federal Government. For example, most non-federal government entities have some form of Security Certification & Accreditation policy that is aligns with or borrows heavily from NIST 800-37.
NIST Resources
Pivot Point Security’s ISMS practice area has worked extensively with the following NIST guidance:
| NIST | Title/Link | Usage |
| SP 800-37SP 800-53 SP 800-30 SP 800-37 | Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach sp800-37-rev1-final.pdfGuide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans sp800-53A-rev1-final.pdfDRAFT Guide for Conducting Risk Assessments SP800-30-Rev1-ipd.pdfGuide for Developing Security Plans for Federal Information Systems sp800-18-Rev1-final.pdfSecurity Considerations in the System Development Life Cycle SP800-64-Revision2.pdf | Leverage this guidance in our Security Certification & Accreditation Practice predominantly for large scale government projects |
| SP 800-153SP 800-120 | DRAFT Guidelines for Securing Wireless Local Area Networks (WLANs) Draft-SP800-153.pdfRecommendation for EAP Methods Used in Wireless Network Access Authentication sp800-120.pdf | Leverage this guidance when conducting WLAN Surveys & Configuration reviews in the government, utilities, and private sectors |
| SP 800-144SP 800-145 SP 800-146 | DRAFT Cloud Computing Synopsis and Recommendations Draft-NIST-SP800-146.pdfA NIST Definition of Cloud Computing SP800-145.pdfDRAFT Guidelines on Security and Privacy in Public Cloud Computing Draft-SP-800-144_cloud-computing.pdf | Leverage this guidance in the assessment of a County’s Private Cloud Offering |
| SP 800-137SP 800-128 | Information Security Continuous Monitoring for Federal Information Systems and Organizations SP800-137-Final.pdfGuide for Security-Focused Configuration Management of Information Systems sp800-128.pdf | Leverage this guidance in our 27001 Practice Area to support ISMS metricizing/monitoring |
| 800-133+SP 800-82 SP 800-127 | Assorted Cryptographic Key Management and Hashing SP’sGuide to Securing WiMAX Wireless Communications sp800-127.pdfGuide to Industrial Control Systems (ICS) Security SP800-82-final.pdf | Leverage during reviews of Wireless Distribution Networks in Utilities transiting DNP3/SCADA traffic |
| SP 800-125 | Guide to Security for Full Virtualization Technologies SP800-125-final.pdf | Leverage this guidance in performing a design review of a State entity’s VM migration |
| SP 800-124SP 800-121 SP 800-111 | Guidelines on Cell Phone and PDA Security SP800-124.pdfDRAFT Guide to Bluetooth Security Draft-SP800-121_Rev1.pdfGuide to Storage Encryption Technologies for End User Devices SP800-111.pdf | Leverage this guidance in performing mobile device security gap assessments for multiple health-care organizations |
| SP 800-122 | Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) sp800-122.pdf | Leverage this guidance in all of our PII focused Gap Assessments |
| SP 800-115 | Technical Guide to Information Security Testing and Assessment SP800-115.pdf | Leverage this guidance in multiple Third Party Attestation focused Security Assessments |
| SP 800-95 | Guide to Secure Web Services SP800-95.pdf | Leverage this guidance in multiple SOA-focused Design Reviews in the government sector |