Before working cybersecurity, I had no idea what NIST (National Institute of Standards and Technology) was, what risk management frameworks were, who they applied to, or what distinguished one set of standards from another. That changed quickly. If you work in cybersecurity, NIST policies heavily dictate your daily activities. If you are building a risk management program, hopefully, this article will provide some guidance.
Risk Management Frameworks (RMF)
A Risk Management Framework (RMF) is a roadmap and set of instructions used to continually minimize security risks. When it comes to an organization’s digital footprint and those that service IT systems, NIST’s 800 Special Publication series provides an unequivocal source of truth for cybersecurity best practices. This third-party guidance from NIST is used by government programs like FedRAMP and CMMC to certify their constituents.
Here is a quick-hit FAQ and mapping of NIST SP’s to the government programs that rely on them so you can understand what RMF to follow for the certification you’re seeking.
What is NIST?
- The National Institute for Standards and Technology is a non-regulatory agency within the Department of Commerce which helps to develop and publish IT security standards such as 800-53.
Who is NIST 800-53 intended for?
- Federal Government Agencies and their IT systems
- FedRAMP CSP’s (Cloud Service Providers) are required to provide a NIST 800-53 compliant service (plus cloud-specific overlay controls) to Federal agencies
How is NIST 800-53 enforced?
- FISMA - Federal Information Security Management Act of 2002 is legislation that relies on NIST special publications to enforce its mandate.
What sets NIST 800-53 apart?
- NIST 800-53 is the most technical and prescriptive RMF (Risk Management Framework) of the bunch. If you have never thought about security before and face NIST 800-53 compliance requirements, buckle up. It is broken up into 18 control families that dictate everything from the way your systems must be configured to the processes and procedures that make up your organization’s risk management program.
Why does CMMC exist?
- The CMMC (Cybersecurity Maturity Model Certification) program evolved as a more robust response to ineffective cybersecurity measures set out in the Defense Federal Acquisition Regulation Supplement (DFARS). CMMC requires that government contractors protect their Controlled Unclassified Data (CUI) by implementing the NIST 800-171 controls and having them verified by a 3rd Party Assessment Organization (C-3PAO)
Who is CMMC intended for?
- Vendors – Defense department contractors
- Purchasers – Defense Department Agencies
What is NIST 800-171?
- NIST 800-171 is another SP (Special Publication) developed by NIST to standardize how federal agencies define Controlled Unclassified Data (CUI) and the IT security standards for those that have access to it.
Who is NIST 800-171 intended for?
- CMMC requires Government contractors, their third-party vendors, and service providers who store and share classified and unclassified Federal Government data to comply with NIST 800-171 guidance.
How is NIST 800-171 enforced?
- In order to do business with the federal government, the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 now requires that defense contractors show proof of compliance with NIST 800-171
What sets NIST 800-171 apart ?
- Compared to other SPs, NIST 800-171 is more high-level and less prescriptive. Therefore, there is more latitude on behalf of the organization to defend their control environment.
- Each Federal Agency must grant an Authority To Operate (ATO) to utilize a CSP. The FedRAMP program provides authorized cloud services which Federal Agencies can browse and select from an online marketplace. If a CSP is on the FedRAMP marketplace, then an Agency shopping for a particular technology can be assured that the CSP has complied with the NIST 800-53 RMF with additional overlay controls
Who is FedRAMP intended for?
- Vendors - Any Cloud Service Provider (CSP) who sells SaaS, PaaS, or IaaS products to the United States Federal Government.
- Purchasers – United States Federal Government
Compliance with a NIST RMF at your organization is voluntary unless you are a Federal Government agency or working with the Federal Government. That said, I would highly recommend striving for NIST compliance because it is the foundation that all major regulatory bodies adhere to. If you can prove you are compliant with all the major NIST publications, you will not have any problems satisfying an audit later down the road.
If you need an experienced cybersecurity consultant to assess your cybersecurity posture and advise you on your security program, MindPoint Group is here to help you. We are a cybersecurity consulting company with 11 years of experience helping Federal Government Agencies deploy secured software solutions on-premise and in the cloud. Contact us to learn more.