5.4 National Institute of Standards and Technology (NIST)

A bureau of the Department of Commerce (DOC), NIST provides Federal standards and technical resources on information security that CISOs use to ensure agencies effectively manage risk, and OIG uses to evaluate maturity. (CIO Council. CISO Handbook.) OMB and DHS leverage NIST guidance as they develop mandates and initiatives. NIST creates mandatory Federal Information Processing Standards (FIPS) and provides management, operational, and technical security guidelines on a broad range of topics, including incident handling and intrusion detection, the establishment of security control baselines and strong authentication.

• NIST publications are collected online in the Computer Security Resource Center (CSRC). NIST develops standards and guidance through a deliberative process with both Federal and civilian input.
• The Framework for Improving Critical Infrastructure Cybersecurity (referred to as the NIST Cybersecurity Framework) (USDOC. NIST Cybersecurity Framework) provides a common taxonomy and mechanism for organizations to:
  • Describe their current and target cybersecurity postures,
  • Identify and prioritize opportunities for improvement,
  • Assess progress toward their target, and
  • Communicate among internal and external stakeholders about cybersecurity risk.
• Each agency's OIG considers FIPS and SPs when evaluating the effectiveness of agency information security programs. NIST encourages tailoring of guidance to agency needs. OIG expects those tailoring decisions and associated risk decisions to be reflected in the organization's policies, procedures, and guidance.
• The NIST Risk Management Framework (RMF) (NIST. FISMA Implementation Project) provides a foundational process that integrates security and risk management activities into the system development life cycle and brings many of the NIST documents together into an overall approach to managing risk.
• NIST's National Cybersecurity Center of Excellence (NCCoE) is a collaborative hub where industry organizations, Government agencies, and academic institutions work together to address businesses' most pressing cybersecurity issues.