The National Institute of Standards and Technology (NIST) has been advancing science, technology, and public-private adoption of the latest tools and procedures for over a century. Here we'll explore everything you've ever wanted to know about the organization.
Table of Contents
What is NIST?
The short answer is that the National Institute of Standards and Technology (NIST) is a a science laboratory and non-regulatory agency of the United States government tasked with promoting innovation and industrial competitiveness.
NIST initially began as a metrology laboratory, advancing the science and understanding of measurements in 1901. More than a century later, the laboratory programs at NIST have increased in scope and today span advanced technologies including nanoscale science, neutron research, information technology, and more.
Beyond their laboratory efforts, NIST's external partnerships and programs play a key role in fostering growth and development for small and early-stage operations.
The Baldrige Performance Excellence program helps U.S. organizations improve competitiveness and performance by identifying and sharing top management practices, principles, and strategies as well as fostering excellence in the community and cybersecurity risk management.
The NIST Office of Advanced Manufacturing serves to bring together the manufacturing industry, academics, and the government with the goal of advancing manufacturing in the United States. This is achieved by facilitating the adoption of new technologies and training the manufacturing workforce, coupled together this boosts competitiveness.
For 30 years the Manufacturing Extension Partnership (MEP) has dedicated their efforts to small and medium sized manufacturers. With centers in all 50 states, MEP provides manufacturers with necessary resources to grow and thrive in globally competitive market. Industry experts work besides manufacturers to reduce costs, increase efficiency, and identify new markets.
As you can tell, NIST is an essential resource for advancing technology and improving security across industries in the United States. Guidance is expressed through NIST's 800-series of Special Publications which are followed by federal agencies. The government endorses NIST policies and companies often choose to follow them because they are the best security practices regardless of industry.
One of the most commonly followed NIST guidelines is the Cybersecurity Framework which delivers fundamental protocols for organizations to ensure their infrastructure remains secure.
NIST Cybersecurity Framework
NIST's Cybersecurity Framework is a voluntary schema of cybersecurity best practices and risk assessment tools.
When using the framework you will see that it breaks down into three primary components - the core, profiles, and implementation tiers - that compliment your existing cybersecurity practices.
Organizations have successfully used the framework to scope their cybersecurity activities around specific functions; Identify, Protect, Detect, Respond and Recover.
The Cybersecurity Framework is intended to be easily understood by technical and non-technical people alike. The Framework Core achieves this by using straightforward language to describe sets of desired cybersecurity activities and their outcomes.
Organizations are guided by the core on the management and reduction of their cybersecurity risks in a manner that compliments, rather than replaces, their current security and risk management processes.
The Cybersecurity Framework Profiles helps organizations discover opportunities to improve their cybersecurity and provides a means to prioritize those improvements.
These profiles represent an organizations distinct alignment of organizational requirements, appetite for risk, and resources versus the organizations desired outcomes from the framework core.
Implementation Tiers listed in NIST's Cybersecurity Framework can be used as a tool for balancing an organizations risk appetite, mission priorities, and resources.
The tiers, ranging on a scale from 1-4, provide context to the organization on how they view cybersecurity risk management.
NIST Special Publications 800-series
Since 1990, NIST has been producing the 800-series of special publications to address the security and privacy needs of the United States government.
The series includes guidelines, recommendations, and technical specifications generated out of NIST's Information Technology lab.
Determining whether federal agencies are required or encouraged to follow 800-series Special Publications is generally the responsibility of the Office of Management and Budget (OMB).
However, 800-series Special Publications do not apply to national security systems unless they receive the express approval from the appropriate federal officials with authority over said systems.
Non-federal organizations often voluntarily choose to adopt practices from the 800-series, most notably 800-37, 800-53, 800-171. Occasionally, an organization may be contractually obligated to adopt 800-series recommendations as is the case with Special Publication 800-171 and manufacturers doing business with the Department of Defense.
800-171 is a framework outlining how information systems and policies need to be implemented to protect Controlled Unclassified Information.
As with all NIST special publications, 800-171 is comprehensive and understandable for a broad audience. What sets 800-171 apart from other special publications in the 800-series is a new DFARS clause (252.204.7012) which makes following 800-171 a requirement for doing business with the United States government, namely the Department of Defense.
If a manufacturer doesn't implement the procedures and practices outlined in 800-171 they risk losing valuable government contracts.
The Defense Federal Acquisition Supplement (DFARS) builds off of the Federal Acquisition Regulation (FAR) to provide a specific set of rules regarding Department of Defense procurement in the United States.
What does this have to do with NIST?
In October of 2016 the Office of the Under Secretary of Defense for Acquisition announced DFARS Clause 252.204.7012. This clause mandates all DoD contractors and subcontractors to implement NIST Special Publication 800-171 in order to protect defense information that contractors may process or store internally.