All companies strive to protect their data and their customers’ data.
Not only is this critical from a customer relationship standpoint, it’s also crucial from legal and reputation perspectives. Companies have a duty to keep confidential information — whether it be personal identifiable information (PII), intellectual property, or other sensitive data — safe and secure. This is particularly true for companies that pursue government contracts and come in close contact with classified (or controlled but unclassified) information.
So how do companies know they are covering all of their bases? By becoming NIST compliant.
The U.S. Department of Commerce has laid out all the requirements for a modern security program via the National Institute of Standards and Technology (NIST). NIST publishes guidelines that help organizations follow cybersecurity best practices, improving their resiliency and decreasing business disruption in the event of a cyberattack or data breach.
NIST is a non-regulatory body, so they do not offer certifications. However, government contracts have built-in clauses to ensure companies and agencies follow these NIST guidelines. Plus, many enterprise-level organizations only engage with companies that can demonstrate NIST compliance.
This guide will explain what companies must abide by NIST guidelines, the differences between NIST and other compliance standards, and how to prepare for a NIST compliance audit.
Who Needs to Be NIST Compliant?
All federal government agencies, contractors, and subcontractors touching government data must be NIST compliant. Some examples of contracted companies include:
- Consulting firms
- Staffing firms
- Academic institutions
- Other service providers
Although NIST isn’t required for companies that don’t contract with the government, many private and public companies see NIST frameworks as the gold standard for cybersecurity and use them to pave the way to other compliance regulations like HIPAA, SOX, or GDPR.
What Are the Consequences of Non-Compliance with NIST?
Failure to comply with NIST could result in a stop-work order, non-renewal, or even cause immediate termination. There’s also potential legal exposure. If, after an investigation, an agency discovers damages, you could be monetarily liable for repairing them. Failure to demonstrate compliance, could result in beingcharged with criminal fraud for misrepresentation.
Being involved in any of these scenarios could greatly tarnish your company’s reputation, preventing you from working with any other government agencies. A breach or other data security issue can cause serious legal and reputational harm for any organization, even those that aren’t government contractors.
NIST Compliance Standards vs. Other Compliance Standards
NIST is a common security framework, but it’s not the only one. ISO, CIS, SOC 2, and COBIT are all legitimate ways of bolstering an organization’s security posture and serve as excellent supplements to NIST best practices.
NIST vs. ISO
The International Organization for Standardization (ISO) is an internationally recognized security framework for technology and business operations and has existed since 1947. ISO spans a range of areas, from employee management to product development to service delivery.
Like NIST, ISO takes a risk-management approach to security. ISO advocates that IT admins and security teams build an Information Security Management System (ISMS) to identify existing risks, maintain comprehensive controls, and update policies in accordance with new threats and new technology.
But unlike NIST, ISO is mandatory — independent auditors review ISMSs and verify compliance with ISO requirements. So starting with NIST first helps companies build the right habits and routines to put them in a good spot to take on more rigorous ISO requirements.
NIST vs. CIS
CIS Critical Security Controls (CIS Controls) are suggested activities and benchmarks for cyber defense created by the Center for Internet Security (CIS). CIS has 20 controls to prevent cyberattackers and prime organizations for potential attacks.
CIS compliance is voluntary. The key benefit of CIS is prioritizing risk and defense, allowing organizations to direct resources to the most essential actions.
In many ways, NIST and CIS are complementary — NIST actually references CIS as a useful framework in their materials. Many companies that leverage NIST embrace CIS as well.
NIST vs. SOC 2
If you work at a software-as-a-service (SaaS) company, you’ve probably heard of SOC 2: it’s important for many startups trying to penetrate the enterprise market.
Formally, Systems and Organizations Controls 2 (SOC 2) is a compliance framework built specifically for service-based companies that manage other companies’ data. SOC 2 compliance is especially important for SaaS companies — customers want proof that their data is:
- Stored securely
- Readily available when it needs to be accessed
- Processed with integrity
- Kept confidential
- Handled with privacy in mind
They must undergo a SOC 2 audit to demonstrate company compliance with SOC 2 standards. A third-party firm evaluates the organization’s internal controls related to security, availability, processing integrity, confidentiality, and privacy.
Because many of those controls intersect with NIST, companies that adhere to the NIST framework already have a solid foundation for the additional controls they need to obtain SOC 2 compliance.
NIST vs. COBIT
Control Objectives for Information and Related Technology (COBIT), was developed by the Information Systems Audit and Control Association to improve IT governance and data infrastructure integrity. COBIT is split into four operational categories:
- Planning and organization
- Acquisition and implementation
- Support and delivery
- Monitoring and evaluation
Each of these categories encourages IT administrators to evaluate the weak points in their infrastructure while streamlining their workflow and organizational communication. COBIT is praised for its efficiency and ease of adoption but is more simplistic than NIST or other models.
NIST and Cybersecurity Maturity Model Compliance (CMMC)
Unlike NIST, Cybersecurity Maturity Model Compliance, is a security framework that is required by organizations to work with the Department of Defense.
CMMC has a heavy emphasis on protecting controlled, unclassified information (more on that later) and is made up of five different maturity levels. Organizations need to pass each one via third-party review before proceeding to the next. Technical demands of CCMC are primarily related to:
- Physical protection and employee security
- Identity and authentication
- Access control
- Audit and accountability
- Configuration management
- System integrity
- Media protection
There is a significant overlap between NIST and CMMC. But historically, CMMC levels have been more challenging to meet, forcing organizations to implement more advanced tactics to thwart potential threats. Organizations that attain CMMC certifications are very close to or are already in compliance with NIST.
What Is NIST SP 800-53?
NIST SP 800-53 standards are a list of controls that secure user access and identity across an enterprise. More specifically, NIST SP 800-53 has roughly 1,000 controls under several control families, such as:
- Access control
- Incident response
- Disaster recovery
To maintain NIST SP 800-53 compliance, organizations must:
- Take stock of their sensitive data. Knowing where confidential data is used and stored helps companies take the right precautions to prevent cyberattacks and insider threats and address incidents quickly when they arise.
- Review access permissions. Understanding who has what level of access to internal servers, cloud services, and other applications can help admins reduce the number of people who can view, edit, and share sensitive information.
- Manage access appropriately. Adjusting permissions is only the first layer of security. IT and security teams should also consider mandating multi-factor authentication (MFA) or using a VPN to ensure that the right people access the right applications in the right ways.
- Track data activity. Keeping a close eye on all data transfer, data download, and file-sharing activity can surface suspicious trends, allowing IT and security teams to respond to incidents in a timely manner.
NIST SP 800-53 is not required for non-government organizations but is still highly recommended for companies of any size to protect their data and their customers’ data.
What Is NIST SP 800-63?
NIST Special Publication 800-63 is a requirement designed to uphold best practices for identity and access management. NIST SP 800-63 offers guidelines regarding:
- Identity proofing
- Equitable access
A significant component of NIST SP 800-63 outlines protection policies for “memorized secrets” — commonly known as passwords. Some of these guidelines include:
- Providing user instructions but not password hints
- Removing composition or expiration requirements
- Enforcing minimum character length
- Randomization methods for auto-generated passwords
- Reducing the number of allowed authentication attempts
By following NIST SP 800-63, organizations give their employees optionality and reduce password reuse, which limits potential fraud and advanced threats.
What Is NIST SP 800-171?
NIST SP 800-171 helps organizations safeguard sensitive controlled unclassified information (CUI). CUI could include intellectual property like product roadmaps or patents, data guiding a new global strategy, or personal personally identifiable information (PII). In a government setting, these types of data may not be classified but should remain confidential and protected from any form of attack — even a physical one.
Even organizations that don’t contract with the government abide by NIST SP 800-171 to avoid data leaks that could lead to competitive disadvantages, lawsuits, and, ultimately, lost revenue. In total, NIST SP 800-171 has over 100 requirements corresponding to an organization’s tech stack and infrastructure.
The process to achieving NIST SP 800-171 is similar to how organizations can achieve NIST SP 800-53 compliance, first identifying existing CUI, categorizing it, evaluating access, monitoring audit trails, and evangelizing cybersecurity policies across the organization.
How Do I Prepare for a NIST Compliance Audit?
Preparing for NIST compliance audits can seem overwhelming, but the process comes down to three steps: assessing your current state, setting goals, and making a plan.
- Evaluate your current state. Understanding where you’re at with your security infrastructure can help inform where you need to go. With a list of NIST requirements in front of you, ask yourself questions like:
- What controls exist?
- What controls are missing?
- What are the company’s main security challenges?
- Has the organization made significant changes to the tech stack?
Doing this deep dive can help you determine your level of maturity. For example, if you’re on the advanced side, you might be ready to tackle one of the NIST special publications.
- Identify your compliance goals. Now think about where your company is going. Is it growing rapidly, or are you in more of a maintenance mode? Perhaps you’re looking to level up your security practices to other NIST special publications or other compliance standards. Getting these goals down on paper can help you narrow your focus.
- Create a plan. NIST is relatively easy to follow, but it helps to create your own step-by-step plan. Chopping up the project into more manageable chunks can help with accountability, keep everyone on track, and decrease the chances of going over budget. In the next section, we’ll explain how to formulate a standardized plan based on NIST Cybersecurity Frameworks.
- Consider training internal auditors. Practicing an audit internally can help achieve a more successful result.
How Do I Develop a NIST Compliance Plan?
IT and security teams don’t have to create NIST compliance plans from scratch — NIST’s five core functions serve as a useful jumping-off point. By addressing all five functions, organizations can ensure FISMA compliance, a must-have for contracting with government agencies.
NIST Cybersecurity Frameworks (CSF)
NIST cybersecurity frameworks, CSF, are voluntary security guidelines that prepare companies for government work by meeting Federal Information Security Management Act (FISMA) demands. However, many companies that don’t partner with government organizations have adopted NIST CSF to protect critical infrastructure.
The 108 controls of NIST CSF are repeatable, cost-effective, and scalable and fall under five core areas: identify, protect, detect, respond, and recover.
- Identify: This stage is all about examining existing threats and revealing new ones. These risks could be hidden in your systems, your data, or your product capabilities, so NIST encourages companies to review their supply chain, office environment, cloud and on-prem systems thoroughly.
- Protect: You can then develop suitable safeguards, like MFA, identity management solutions, restricted access, and other data security measures.
- Detect: Conducting a thorough review of your existing threats is not enough. New risks are always popping up, and companies need to be able to detect them quickly. At this stage, you should consider implementing a continuous monitoring system or reassessing the one you have — it should help to detect suspicious activity and anomalies in real time.
- Respond: Your IT and security teams must follow a standardized incident response plan. This plan should address the technical element of incident mitigation and include in-depth analysis to collect and apply learnings to future infrastructure improvements.
- Recovery: You should have a plan for restoring capabilities and minimizing disruption to the business. This strategy should involve response tactics, customer and investor communications, and, again, finding opportunities for improvement.
Your company should have a comprehensive plan and corresponding policies to address the core components above. In doing so, you’ll be able to:
- Know which assets need further protection
- Surface previously unknown vulnerabilities
- Prioritize risks
- Respond to those risks and prevent new risks from arising
NIST and FISMA Compliance
FISMA mandates government agencies and companies contracting with the government to have a strong information security program. FISMA is directly linked to NIST CSF — following the frameworks helps companies reach FISMA compliance.
More specifically, NIST CSF sets companies up to meet multiple FISMA requirements, such as:
- Creating and updating an information systems inventory
- Developing a system security plan
- Adding security controls, like those outlined in NIST SP 800-53
- Performing regular risk assessments
- Having a continuous monitoring system
- Securing applications and data from unauthorized transfer, destruction, or modification
- Ensuring availability, confidentiality, and integrity of sensitive data
Companies wanting to be FISMA compliant should start to lay the groundwork with NIST CSF.
JumpCloud and NIST Compliance
Data security is becoming an increasingly important issue. And without the right tools and frameworks, companies won’t be prepared to interact with the federal government or win contracts with enterprise companies.
Achieving NIST compliance is a necessary step toward building a robust security posture, and it’s an ongoing exercise. IT managers and security admins need to take precautions to ensure their company’s information stays safe — from insiders and outsiders.
Eager to learn more about how you can bolster your security? Download our data compliance guide to see where you are in your security journey and where you need to go to reach NIST compliance.