August 8, 2022 By C.J. Haughey 4 min read

It’s never been harder to be a chief information security officer (CISO). In 2021, there were 50% more attacks each week compared to 2020. Without a plan, maintaining a robust security posture is an uphill struggle.

Thankfully, the National Institute of Standards and Technology (NIST) offers CISOs the guidance they need. Read on to learn more about NIST, why it matters and how it can help your company protect against cybersecurity threats.

What is NIST?

NIST is a non-regulatory government agency that produces and maintains a set of crucial cybersecurity standards for information systems.

This division within the U.S. Department of Commerce promotes industrial competitiveness and innovation in science and technology. Their guidelines and standards aim to help federal agencies meet the government requirements of the Federal Information Security Management Act.

CISOs can find multiple benefits from adopting best practices from NIST. By embracing the guidelines, you can:

  • Distribute sensitive data to the correct people in a safe manner
  • Protect critical infrastructure and information from insider threats, human error and cybersecurity fatigue
  • Assist IT with handling malware, evolving threat types and attack vectors
  • Meet other government regulations.

What are NIST standards?

NIST standards are a set of recommended best practices that help organizations build, improve and maintain a robust cybersecurity posture.

According to the NIST website, the framework core is “a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors.”

With the NIST guidelines, CISOs and security teams can improve how they identify, prevent and respond to threats. It can also help you recover in the wake of any incidents.

Within these best practices, there are five core functions:

  • Identify: Know how to manage cybersecurity risk. Identify the critical data, systems, assets and capabilities you must protect.

  • Protect: Implement security measures that limit or contain the impact of incidents. For example, install solutions, review company policies and train employees on safe data handling.

  • Detect: Devise a well-planned strategy with clear procedures and tools to detect incidents. With greater visibility, you enable timely discovery of cybersecurity events.

  • Respond: Create incident response plans that outline appropriate action steps in the wake of an attack. This step helps CISOs and their teams quickly eliminate threats, respond to any breaches and mitigate damage.

  • Recover: Design a disaster recovery policy that supports timely recovery to normal operations. Aside from restoring data and services, your team can learn from every event and improve resilience and strategies for the future.

Why do CISOs need NIST?

When it comes to protecting your data, NIST is the gold standard. That said, the government does not mandate it for every industry. CISOs should comply with NIST standards, but business leaders can handle risk management with whichever approach and standards they believe will best suit their business model.

However, federal agencies must use these standards. As the U.S. government endorses NIST, it came as little surprise when Washington declared these standards the official security control guidelines for information systems at federal agencies in 2017.

Similarly, if CISOs work with the federal government as contractors or subcontractors, they must follow NIST security standards. With that in mind, any contractor who has a history of NIST noncompliance may be excluded from future government contracts.

Key standards

The Cybersecurity Framework is one of the most widely adopted standards from NIST. While optional, this framework is a trusted resource that many companies adhere to when attempting to reduce risk and improve their cybersecurity systems and management. Visit the NIST website to learn more about the latest updates.

In addition, many of the most popular standards are part of the NIST 800 series. This Special Publication series of documents contains U.S. government procedures, technical standards, policies and guidelines on information systems. Here are some of the key documents in the NIST 800 series:

  • 800-37: These guidelines show how to apply the Risk Management Framework (RMF) to information systems and organizations. Guidelines include best practices around RMF roles, responsibilities and life cycle process.
  • 800-53: This set of security and privacy control guidelines helps teams handle and protect data on federal information systems to protect operations, assets and people.

  • 800-171: This standard seeks to protect controlled unclassified information from being accessed by unwanted parties. Since 2019, the Department of Defense has switched focus to its Cybersecurity Maturity Model Certification program. This will someday replace SP 800-171.

Additional resources

NIST also offers tools, white papers and other resources.

  • NISTIR: The NIST Interagency or Internal Report contains interim or final reports on any work that NIST performed for outside sponsors — both government and non-government entities.
  • The NIST Cybersecurity Supply Chain Risk Management: This program helps manage the threats impacting supply chains.
  • Cybersecurity and Privacy Reference Tool: Security teams can search, browse and export this collection of datasets, which comprise nine NIST frameworks and other documents.

Visit the NIST resources page for a full list of tools and documents.

The trusted standard

While federal agencies must comply with NIST standards, they’re also important for many companies. They are even more critical for companies that handle a lot of data. In a time when threats are constantly evolving, defending teams must always look for ways to stay one step ahead of would-be attackers.

The highest levels of government endorse the NIST framework and trust the standards to protect their organizations, systems, data and people. CISOs need to look no further when they need a framework to establish a new program or strengthen their existing security posture.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today