It’s never been harder to be a chief information security officer (CISO). In 2021, there were 50% more attacks each week compared to 2020. Without a plan, maintaining a robust security posture is an uphill struggle. 

Thankfully, the National Institute of Standards and Technology (NIST) offers CISOs the guidance they need. Read on to learn more about NIST, why it matters and how it can help your company protect against cybersecurity threats. 

What Is NIST?

NIST is a non-regulatory government agency that produces and maintains a set of crucial cybersecurity standards for information systems. 

This division within the U.S. Department of Commerce promotes industrial competitiveness and innovation in science and technology. Their guidelines and standards aim to help federal agencies meet the government requirements of the Federal Information Security Management Act.

CISOs can find multiple benefits from adopting best practices from NIST. By embracing the guidelines, you can:

  • Distribute sensitive data to the correct people in a safe manner
  • Protect critical infrastructure and information from insider threats, human error and cybersecurity fatigue
  • Assist IT with handling malware, evolving threat types and attack vectors
  • Meet other government regulations.

What Are NIST Standards?

NIST standards are a set of recommended best practices that help organizations build, improve and maintain a robust cybersecurity posture. 

According to the NIST website, the framework core is “a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors.”

With the NIST guidelines, CISOs and security teams can improve how they identify, prevent and respond to threats. It can also help you recover in the wake of any incidents. 

Within these best practices, there are five core functions:

  • Identify: Know how to manage cybersecurity risk. Identify the critical data, systems, assets and capabilities you must protect. 

  • Protect: Implement security measures that limit or contain the impact of incidents. For example, install solutions, review company policies and train employees on safe data handling.

  • Detect: Devise a well-planned strategy with clear procedures and tools to detect incidents. With greater visibility, you enable timely discovery of cybersecurity events.

  • Respond: Create incident response plans that outline appropriate action steps in the wake of an attack. This step helps CISOs and their teams quickly eliminate threats, respond to any breaches and mitigate damage.

  • Recover: Design a disaster recovery policy that supports timely recovery to normal operations. Aside from restoring data and services, your team can learn from every event and improve resilience and strategies for the future.

Why Do CISOs Need NIST? 

When it comes to protecting your data, NIST is the gold standard. That said, the government does not mandate it for every industry. CISOs should comply with NIST standards, but business leaders can handle risk management with whichever approach and standards they believe will best suit their business model. 

However, federal agencies must use these standards. As the U.S. government endorses NIST, it came as little surprise when Washington declared these standards the official security control guidelines for information systems at federal agencies in 2017

Similarly, if CISOs work with the federal government as contractors or subcontractors, they must follow NIST security standards. With that in mind, any contractor who has a history of NIST noncompliance may be excluded from future government contracts.

Key Standards

The Cybersecurity Framework is one of the most widely adopted standards from NIST. While optional, this framework is a trusted resource that many companies adhere to when attempting to reduce risk and improve their cybersecurity systems and management. Visit the NIST website to learn more about the latest updates

In addition, many of the most popular standards are part of the NIST 800 series. This Special Publication series of documents contains U.S. government procedures, technical standards, policies and guidelines on information systems. Here are some of the key documents in the NIST 800 series:

  • 800-37: These guidelines show how to apply the Risk Management Framework (RMF) to information systems and organizations. Guidelines include best practices around RMF roles, responsibilities and life cycle process. 
  • 800-53: This set of security and privacy control guidelines helps teams handle and protect data on federal information systems to protect operations, assets and people. 

  • 800-171: This standard seeks to protect controlled unclassified information from being accessed by unwanted parties. Since 2019, the Department of Defense has switched focus to its Cybersecurity Maturity Model Certification program. This will someday replace SP 800-171. 

Additional Resources

NIST also offers tools, white papers and other resources. 

  • NISTIR: The NIST Interagency or Internal Report contains interim or final reports on any work that NIST performed for outside sponsors — both government and non-government entities.
  • The NIST Cybersecurity Supply Chain Risk Management: This program helps manage the threats impacting supply chains
  • Cybersecurity and Privacy Reference Tool: Security teams can search, browse and export this collection of datasets, which comprise nine NIST frameworks and other documents.

Visit the NIST resources page for a full list of tools and documents.

The Trusted Standard

While federal agencies must comply with NIST standards, they’re also important for many companies. They are even more critical for companies that handle a lot of data. In a time when threats are constantly evolving, defending teams must always look for ways to stay one step ahead of would-be attackers.

The highest levels of government endorse the NIST framework and trust the standards to protect their organizations, systems, data and people. CISOs need to look no further when they need a framework to establish a new program or strengthen their existing security posture.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…