Photo by Hayes Potter on Unsplash.

What You Need to Know About Important NIST Frameworks, Standards, and Security Controls

Part I

If you have been hearing the word “cybersecurity” 10x more often than you used to, this is no surprise. There is no doubt the Covid pandemic changed the digital space forever, and the U.S. Federal government continues to push for improvements in Cybersecurity.

In the aftermath of the Covid-19 crisis, “Worldwide end-user spending on public cloud services is forecast to grow 20.7% to total $591.8 billion in 2023, up from $490.3 billion in 2022, according to the latest forecast from Gartner, Inc. This is higher than the 18.8% growth forecast for 2022.”1

On March 1, 2023, President Biden released the National Cybersecurity Strategy2 in which they announced the “…Administration is investing $65 billion to make sure every American has access to reliable, high-speed Internet.” The strategy also recognizes that collaboration between the public and private sectors is of utmost importance in keeping the security of cyberspace.

Whether you are from the private or public sector in the U.S., you are just getting started in Cybersecurity or just curious about this topic, you would want to keep the National Institute of Standards and Technology (NIST) at the top of your list.

According to the NIST’s Cybersecurity site, “NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.” NIST Special Publications (SP) are part of this. We are interested particularly in the SP 800 publications, which are one of multiple sub-series specifically for computer security.

In this blog series, we are going to explore the following eight NIST frameworks, standards, and security controls to keep in mind when working for the Federal U.S. Government:

  • CSF 1.0: Cybersecurity Framework (version 2.0 almost ready at the time of this write-up)
  • FIPS PUB 200: Minimum Security Requirements for Federal Information and Information Systems
  • NIST SP 800-37: Risk Management Framework for Information Systems and Organizations
  • NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations
  • NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • NIST SP 800-207: Zero Trust Architecture
  • NIST SP 800-218: Secure Software Development Framework (SSDF)

Although, not directly related to the U.S. Federal space, Artificial Intelligence, most commonly known as AI, has been predominately taking place in the majority of technology conversations happening today. Therefore, I wanted to call out particularly the AI RMF for Cybersecurity folks to keep an eye on:

  • AI RMF: AI Risk Management Framework

Want to see other frameworks included or let me know your thoughts about this write-up? Get in touch!

In Part II, I will be breaking down each of the eight frameworks listed above, and dive into some common use cases and how they are applied in industry.