NIST Special Publications (SP) 800-Series

Summary

The NIST 800 SP-800 Series is a set of special publications that describe United States federal government computer security policies, procedures, and guidelines. This grouping of special publications is NIST’s most applicable grouping of documents for cybersecurity.

Overview (of a few SPs)

NIST’s SP-800 Series contains industry-leading recommendations including risk management frameworks, security requirements, and security controls. Below are a collection of some of the more well-known SPs.

• NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations)
  • It’s mandatory for federal agencies, but other organizations can use as well to design a strong security program.
  • The NIST 800-53 framework provides a number of different controls and guidance across multiple security and access control families defined under a baseline of impact. These baselines are separated by High, Medium, and Low impacts. The controls are then designated across 20 security and control families:
    • AC (Access Control), AT (Awareness and Training), AU (Audit and accountability), CA (Assessment, authorization, and mentoring), CM (Configuration Management), CP (Contingency Planning), IA (Identification and Authentication), IP (Individual Participation), IR (Incident Response), MA (Maintenance), MP (Media Protection), PA (Privacy Authorization), PE (Physical and Environmental protection), PM (Program Management), PL (Planning), PS (Personal Security), RA (Risk Assessment), SA (System and service Acquisition), SC (System and Communication protection), and SI (System and information Integrity.
• NIST SP 800-30 (Guide for Conducting Risk Assessments)
  • The purpose of SP 800-30 is to conduct NIST risk assessments in accordance with framework recommendations and standards.
  • 800-30 specifically is used to translate cyber risk in a way that can be understood by the Board and CEO. It provides a common language between technical and business leadership which helps both parties make more informed decisions on budgeting (and assists in making targeted choices on how to implement cybersecurity initiatives).
• NIST SP 800-34 (Contingency Planning Guide for Federal Information Systems)
  • SP 800-34 provides instructions, recommendations, and considerations for government IT contingency planning.
• NIST SP 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories)
  • This document describes the role of security classification in the NIST risk management framework and in the certification and accreditation process.
  • Each organization should establish a formal process to determine the system level security classification, which is the first step to meet the information security requirements and establish reliable security procedures.
• NIST SP 800-61 (Computer Security Incident Handling Guide)
  • This SP assists organizations in mitigating the potential business impact of information security incidents by providing practical guidance on responding to a variety of incidents effectively and efficiently.
• NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)
  • 800-115 is an overview of the key elements of security testing.
  • It isn’t a comprehensive guide, but it does direct organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies.
• NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
  • Any organization that processes (or stores) sensitive, unclassified information on behalf of the US government is required to be compliant with the security standards of SP 800-171. By requiring best-practice cybersecurity processes from government contractors, the resilience of the whole federal supply chain is strengthened.
  • It could also be utilized by non-federal departments or companies.
• NIST SP 800-37 (Risk Management Framework, or RMF)
  • SP 800-37 provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security & privacy risk (that includes information security categorization; control selection, implementation, and assessment), system & common control authorizations, and continuous monitoring.

  • Related Article:

    📄 NIST Risk Management Framework (RMF).

• NIST SP 800-137 (InfoSec Continuous Monitoring (ISCM) for Federal Information Systems and Organizations)
  • The purpose of this ISCM guideline is to assist organizations in the development of a continuous monitoring strategy and the implementation of a continuous monitoring program providing visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls.
  • Following ISCM’s guidelines will provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate.
• NIST SP 800-40 (Guide to Enterprise Patch Management Planning)
  • Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization.
    • Patching is more important than ever because of the increasing reliance on technology, but there is often a divide between business/mission owners and security/technology management about the value of patching.
    • This publication frames patching as a critical component of preventive maintenance for computing technologies – a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions.

---

Source: https://csrc.nist.gov/publications/sp800

---