August 8, 2022 By C.J. Haughey 4 min read

It’s never been harder to be a chief information security officer (CISO). In 2021, there were 50% more attacks each week compared to 2020. Without a plan, maintaining a robust security posture is an uphill struggle.

Thankfully, the National Institute of Standards and Technology (NIST) offers CISOs the guidance they need. Read on to learn more about NIST, why it matters and how it can help your company protect against cybersecurity threats.

What is NIST?

NIST is a non-regulatory government agency that produces and maintains a set of crucial cybersecurity standards for information systems.

This division within the U.S. Department of Commerce promotes industrial competitiveness and innovation in science and technology. Their guidelines and standards aim to help federal agencies meet the government requirements of the Federal Information Security Management Act.

CISOs can find multiple benefits from adopting best practices from NIST. By embracing the guidelines, you can:

  • Distribute sensitive data to the correct people in a safe manner
  • Protect critical infrastructure and information from insider threats, human error and cybersecurity fatigue
  • Assist IT with handling malware, evolving threat types and attack vectors
  • Meet other government regulations.

What are NIST standards?

NIST standards are a set of recommended best practices that help organizations build, improve and maintain a robust cybersecurity posture.

According to the NIST website, the framework core is “a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors.”

With the NIST guidelines, CISOs and security teams can improve how they identify, prevent and respond to threats. It can also help you recover in the wake of any incidents.

Within these best practices, there are five core functions:

  • Identify: Know how to manage cybersecurity risk. Identify the critical data, systems, assets and capabilities you must protect.

  • Protect: Implement security measures that limit or contain the impact of incidents. For example, install solutions, review company policies and train employees on safe data handling.

  • Detect: Devise a well-planned strategy with clear procedures and tools to detect incidents. With greater visibility, you enable timely discovery of cybersecurity events.

  • Respond: Create incident response plans that outline appropriate action steps in the wake of an attack. This step helps CISOs and their teams quickly eliminate threats, respond to any breaches and mitigate damage.

  • Recover: Design a disaster recovery policy that supports timely recovery to normal operations. Aside from restoring data and services, your team can learn from every event and improve resilience and strategies for the future.

Why do CISOs need NIST?

When it comes to protecting your data, NIST is the gold standard. That said, the government does not mandate it for every industry. CISOs should comply with NIST standards, but business leaders can handle risk management with whichever approach and standards they believe will best suit their business model.

However, federal agencies must use these standards. As the U.S. government endorses NIST, it came as little surprise when Washington declared these standards the official security control guidelines for information systems at federal agencies in 2017.

Similarly, if CISOs work with the federal government as contractors or subcontractors, they must follow NIST security standards. With that in mind, any contractor who has a history of NIST noncompliance may be excluded from future government contracts.

Key standards

The Cybersecurity Framework is one of the most widely adopted standards from NIST. While optional, this framework is a trusted resource that many companies adhere to when attempting to reduce risk and improve their cybersecurity systems and management. Visit the NIST website to learn more about the latest updates.

In addition, many of the most popular standards are part of the NIST 800 series. This Special Publication series of documents contains U.S. government procedures, technical standards, policies and guidelines on information systems. Here are some of the key documents in the NIST 800 series:

  • 800-37: These guidelines show how to apply the Risk Management Framework (RMF) to information systems and organizations. Guidelines include best practices around RMF roles, responsibilities and life cycle process.
  • 800-53: This set of security and privacy control guidelines helps teams handle and protect data on federal information systems to protect operations, assets and people.

  • 800-171: This standard seeks to protect controlled unclassified information from being accessed by unwanted parties. Since 2019, the Department of Defense has switched focus to its Cybersecurity Maturity Model Certification program. This will someday replace SP 800-171.

Additional resources

NIST also offers tools, white papers and other resources.

  • NISTIR: The NIST Interagency or Internal Report contains interim or final reports on any work that NIST performed for outside sponsors — both government and non-government entities.
  • The NIST Cybersecurity Supply Chain Risk Management: This program helps manage the threats impacting supply chains.
  • Cybersecurity and Privacy Reference Tool: Security teams can search, browse and export this collection of datasets, which comprise nine NIST frameworks and other documents.

Visit the NIST resources page for a full list of tools and documents.

The trusted standard

While federal agencies must comply with NIST standards, they’re also important for many companies. They are even more critical for companies that handle a lot of data. In a time when threats are constantly evolving, defending teams must always look for ways to stay one step ahead of would-be attackers.

The highest levels of government endorse the NIST framework and trust the standards to protect their organizations, systems, data and people. CISOs need to look no further when they need a framework to establish a new program or strengthen their existing security posture.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today