Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

5.4 National Institute of Standards and Technology (NIST)

Key Organizations

5.4 National Institute of Standards and Technology (NIST)

A bureau of the Department of Commerce (DOC), NIST provides Federal standards and technical resources on information security that CISOs use to ensure agencies effectively manage risk, and OIG uses to evaluate maturity. (CIO Council. CISO Handbook.) OMB and DHS leverage NIST guidance as they develop mandates and initiatives. NIST creates mandatory Federal Information Processing Standards (FIPS) and provides management, operational, and technical security guidelines on a broad range of topics, including incident handling and intrusion detection, the establishment of security control baselines and strong authentication.

  • NIST publications are collected online in the Computer Security Resource Center (CSRC). NIST develops standards and guidance through a deliberative process with both Federal and civilian input.
  • The Framework for Improving Critical Infrastructure Cybersecurity(referred to as the NIST Cybersecurity Framework) (USDOC. NIST Cybersecurity Framework) provides a common taxonomy and mechanism for organizations to:
    • Describe their current and target cybersecurity postures,
    • Identify and prioritize opportunities for improvement,
    • Assess progress toward their target, and
    • Communicate among internal and external stakeholders about cybersecurity risk.
  • Each agency’s OIG considers FIPS and SPs when evaluating the effectiveness of agency information security programs. NIST encourages tailoring of guidance to agency needs. OIG expects those tailoring decisions and associated risk decisions to be reflected in the organization’s policies, procedures, and guidance.
  • The NIST Risk Management Framework (RMF) (NIST. FISMA Implementation Project) provides a foundational process that integrates security and risk management activities into the system development life cycle and brings many of the NIST documents together into an overall approach to managing risk.
  • NIST’s National Cybersecurity Center of Excellence (NCCoE) is a collaborative hub where industry organizations, Government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues.