NIST Special Publication 800-171 For Higher Education - Deloitte

2m ago
24 Views
0 Downloads
962.02 KB
20 Pages
Last View : 1d ago
Last Download : n/a
Upload by : Brady Himes
Transcription

A report by the Deloitte Centerfor Higher Education ExcellenceNIST Special Publication 800-171for higher educationA guide to helping colleges and universitiescomply with new federal regulations

NIST Special Publication 800-171 for higher educationABOUT EDUCAUSEEDUCAUSE (www.educause.edu) is a higher education technology association and the largestcommunity of IT leaders and professionals committed to advancing higher education. Technology, IT roles and responsibilities, and higher education are dynamically changing. Formed in 1998,EDUCAUSE supports those who lead, manage, and use information technology to anticipate andadapt to these changes, advancing strategic IT decision-making at every level within higher education. A global nonprofit organization, EDUCAUSE members include US and international higher education institutions, corporations, not-for-profit organizations, and K-12 institutions. Witha community of more than 85,000 individual participants located around the world, EDUCAUSEencourages diversity in perspective, opinion, and representation. The EDUCAUSE CybersecurityProgram offers a number of resources to help colleges and universities develop and mature theirinformation security and privacy programs.ABOUT DELOITTE’S CENTER FOR HIGHER EDUCATION EXCELLENCEHigher education institutions confront a number of challenges, from dramatic shifts in sourcesof funding resulting from broader structural changes in the economy, to demands for greateraccountability at all levels, to the imperative to increase effectiveness and efficiency through theadoption of modern technology.Deloitte’s Center for Higher Education Excellence produces groundbreaking research to help colleges and universities navigate these challenges and reimagine how they achieve excellence in every aspect of the academy: teaching, learning, and research. Through forums and immersive labsessions, we engage the higher education community collaboratively on a transformative journey,exploring critical topics, overcoming constraints, and expanding the limits of the art of the possible.As a result, we offer an unparalleled ability to effectively interpret NIST SP 800-171 requirements and design and deploy federally compliant systems and processes that address the specificneeds of our higher education clients.CYBERSECURITY FOR COLLEGES AND UNIVERSITIESDeloitte is a market leader in designing and deploying cybersecurity, compliance, and transformational solutions. We also bring a deep understanding of higher education, based on more than 90years of serving colleges and universities, and combine that with the extensive experience in ourFederal practice obtained from implementing relevant cybersecurity standards.As a result, we offer an unparalleled ability to effectively interpret NIST SP 800-171 requirementsand design and deploy federally compliant systems and processes that address the specific needsof our higher education clients.COVER IMAGE BY: ALEX NABAUM

A guide to helping colleges and universities comply with new federal regulationsCONTENTSIntroduction 2Meet NIST Special Publication 800-171 3The current state: Where colleges and universitiesare now 6Getting from here to there: A road map forcompliance 8Recommended reading 11Endnotes 121

NIST Special Publication 800-171 for higher educationIntroductionIN order to address increasing cyber risk and com-strengthened its requirements for safeguarding aply with new government regulations, collegesbroad set of controlled unclassified informationand universities that enter into contracts with(CUI).federal agencies must give heightened attentionIn July 2017, Deloitte and EDUCAUSE con-to their cybersecurity measures. The last decadevened an expert panel to discuss the implicationshas seen a significant rise in the number of cyberfor higher education institutions in protecting CUIincidents affecting federal agencies: Between fis-received from the federal government in institu-cal years 2006 and 2015, agencies re-tional information technology systems.ported cyber incidents increas-Members of the panel shareding over 1,300 percent, fromtheir insights about CUI data5,500 annually to moreprotectionthan 77,000.1Andgivenrequirementsand their approaches totheachieving compliancevolume of sensitivewith those require-federal informationments. This articlethat agencies shareprovides a high-lev-with third parties—el summary of theirincludingdiscussion as wellandcollegesuniversities—as a road map forthe government hascompliance activities.2

A guide to helping colleges and universities comply with new federal regulationsMeet NIST SpecialPublication 800-171FOR many leaders in institutions of higher Student recordslearning, getting information security under Genetic datacontrol is about to become critical to fundingThe Defense Federal Acquisition Regulationand more. Whether a college or university has manySupplement 252.204.7012 establishes NIST 800-large government research contracts or one small171 as the minimum security standard for protectingcontract, it will need to comply with the require-both CUI and covered defense information (CDI)ments laid out in National Institute of Standardsassociated with defense-related contracts. The Fed-and Technology (NIST) Special Publication 800-eral Acquisition Regulation (FAR) clause, with ex-171. These requirements are designed to protect thepected publication in late 2017, is also anticipatedconfidentiality of CUI residing in nonfederal sys-to apply NIST 800-171 standards to protect CUI as-tems. (See sidebar, “The legal basis for protectingsociated across a broader set of civilian contracts.2controlled unclassified information.”)Higher education institutions will face contractualCUI can be any data received from the federalrequirements—most likely associated with federalgovernment that is not designated as classified; thisgrants, research contracts, and other transactionsin which the institution receives data from the fed-can include but is not limited to: Controlled technical informationeral government—that will mandate compliance. In Patent information2016, the US Department of Education communi- Export control datacated its intention to make student financial data Research datasubject to NIST 800-171 controls in the future and Engineering data and drawingsencouraged institutions to conduct a gap analysis Agricultural databetween their current security measures and NIST Privacy800-171 requirements.3Institutions receiving defense contracts with Health recordsprovisions for CUI must comply by December 31, Financial information (on, for example, student2017. Institutions are already seeing provisionsloans)3

NIST Special Publication 800-171 for higher educationThe protection of controlled unclassified informationwhile residing in nonfederal information systemsand organizations is of paramount importance tofederal agencies and can directly impact the abilityof the federal government to successfully carry outits designated missions and business operations.—— NIST Special Publication 800-171about the new standards inserted into defense con-stance stand to gain a competitive advantage. Dead-tracts, and defense agencies are adding no-costlines for developing a plan of action are rapidly ap-change orders to existing defense contracts, requir-proaching, with the first compliance attestations foring NIST 800-171 compliance. For all others, thedefense contracts due at the end of 2017.FAR clause may publish as soon as December 2017.To get started down the path to compliance, in-Given these changes, traditional approaches tostitutions will first need to understand the challeng-cybersecurity in higher education are no longer ade-es that the new standard presents and then chart aquate. While colleges and universities must alreadycourse for achieving and sustaining compliance. Bydeal with a great many government regulations anddrawing on the experiences of institutions furtherreporting requirements, NIST 800-171 demandsdown the NIST 800-171 path, we aim to offer a roadspecial attention. Institutions that do not complymap to help institutions comply with the new re-risk losing federal funding for research and, poten-quirements.tially, financial aid, while those that take a proactive4

A guide to helping colleges and universities comply with new federal regulationsTHE LEGAL BASIS FOR PROTECTING CONTROLLED UNCLASSIFIED INFORMATIONIn 2010, the White House issued Executive Order 13556, defining CUI. The purpose of the executiveorder was to gather various information categories—those that required additional protection fromdisclosure but were not otherwise considered classified information—into a single definition ofprotected information for all federal agencies. The executive order placed the National Archives andRecords Administration in the role of creating a registry of information and handling requirementsfor the newly defined CUI classification.As CUI information is often shared among federal agencies and with nonfederal organizations, datahandling requirements were needed for the newly defined data type. Charged with creating thatguidance, the National Institute of Standards and Technology published Special Publication 800-171,Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, inJune 2015 (and updated it in January 2016). The requirements outlined in NIST 800-171 apply to CUIthat the federal government shares with a nonfederal entity.The requirement to protect CUI according to a prescribed set of rules is contractual in nature,meaning that nonfederal agencies must scrutinize their contracts with federal agencies andmust understand whether any data they receive from a federal agency is classified as CUI. Inmost instances, federal procurement rules will incorporate the contractual clauses requiring CUIprotection. For instance, US defense agencies moved quickly to create a procurement rule thatspecified that NIST 800-171 is the minimum security standard for protecting any CUI received fromdefense agencies.Federal civilian agencies have moved more slowly. While a Federal Acquisition Regulation regardinggeneral data safeguarding came out in 2016 (FAR 52.204-21), the federal government has not yetreleased a rule mandating that nonfederal agencies protect CUI data received from the governmentat NIST 800-171 levels. However, a Notice of Proposed Rulemaking was issued in July 2017 statingthat a CUI FAR rule would be released in December 2017 and would be open for comment untilFebruary 2018, with a final FAR rule to be released shortly thereafter.4 Until that FAR rule ispromulgated, contracts with non-defense federal agencies must specifically reference NIST 800-171for its requirements to apply to the underlying contract (and associated CUI data).Traditional approaches to cybersecurity in highereducation are no longer adequate. While collegesand universities must already deal with a great manygovernment regulations and reporting requirements,NIST 800-171 demands special attention. Institutionsthat do not comply risk losing federal fundingfor research and, potentially, financial aid.5

NIST Special Publication 800-171 for higher educationThe current state:Where colleges anduniversities are nowINSTITUTIONS have made varying degrees ofgroup, the process ahead will include taking stockprogress on NIST 800-171 compliance. Whileof what’s already in place, what the new regulationscollege and university CIOs and CISOs are gen-require, and filling in the gaps.erally aware of the standard, this awareness hasn’tColleges and universities are also workingnecessarily translated into progress. Many institu-through how NIST 800-171 will impact their institu-tions are still working out how to get started andtional research strategies. Some institutions, for ex-get everyone on board.ample, view achiev-Other institutions, nota-ing compliance as ably those that receive significant defense researchfunding, are much further down the path.Inaddition,manyinstitutions are not beginning from a commonstartingpoint.Institu-tions that previously builttheir information security program to a higherstandard such as NIST800-53 have a head startTo gain traction with institutional leaders, theconversation must bereframed in terms ofenterprise risk management, with the businessimpact to the institution clearly spelled out.potential source ofcompetitiveadvan-tage that will helpbring in more federal research funding,which, in turn, canhelptopthemattractresearchers.5Others are steppingback and charting amoreconservativepath forward, weighing the impact ofNIST 800-171 andon compliance, whereasits associated costs800-171 can representa much more significant lift for those that haven’tagainst their institution’s desire to build up its re-built to any standard. For institutions in the lattersearch capacity and classification.66

A guide to helping colleges and universities comply with new federal regulationsOvercoming the top challengesnormal for the two to talk, share information, andeven collaborate. Institutional leaders, many ofCompliance with the spirit of NIST 800-171 goeswhom rose through the ranks of academia, under-well beyond technological solutions. To achievestand and value this time-honored practice. Outsideand sustain compliance, it’s necessary to take aof defense-related research, the cultural tradition ofprogrammatic approach that encompasses, amongopenness is antithetical to the spirit of protectionother things, organizational change management,that NIST 800-171 calls for, and the principal inves-training, end user adoption, and process controls.tigator community and others may therefore resistThe challenges that institutions face in progressingthe changes that the standard requires. To pave thetoward compliance include a lack of executive andway forward, leaders should stress the need for en-board-level attention, significant cultural barriers,hanced security while maintaining a federated mod-and governance coordination.el for data sharing and access. Institutions shouldLack of executive and board-level atten-also develop an effective organizational change-tion: While most CIOs and CISOs are aware ofmanagement strategy.NIST 800-171, it is not yet on the radar of manyGovernance coordination: In many insti-institutional leaders or boards of trustees, largelytutional settings, responsibility for ensuring con-because the issue has been cast as one of merely im-tractual compliance lies with the research division.plementing a set of technical information securityHowever, as demands grow to comply with Inter-controls. To gain traction with institutional leaders,national Traffic in Arms Regulations, the Healththe conversation must be reframed in terms of en-Insurance Portability and Accountability Act, andterprise risk management, with the business impactother standards, as well as with NIST 800-171, itto the institution clearly spelled out. To the extentis no longer effective or economical to do this workthis is done effectively, resources should follow.in a decentralized manner when there are many re-Cultural barriers: Colleges and universi-search entities that lack the internal capacity to per-ties have always enjoyed a culture of openness andform compliance. An institutional, enterprise-levelsharing. If an American researcher is building onsolution is needed, as is a central authority to assessresearch done by a colleague in another country, it’sand certify data and access compliance.7

NIST Special Publication 800-171 for higher educationGetting from here to there:A road map for complianceI Analyze the impact and scopeNSTITUTIONS approach NIST 800-171 from vastly different circumstances, including the current–– Determine the applicable contracts andmaturity of their information security programs,identify data (including student financialthe makeup of their research funding portfolio, thedata, which may be subject to NIST 800-171structure of their IT programs, and the complexitycontrols in the future) that must be con-of their governance processes. As a result, what ittrolled. The level of effort here will be affect-takes to achieve compliance will vary widely fromed by the size and structure of the institu-institution to institution. That said, there is a com-tion: A smaller institution with a centralizedmon set of activities that all institutions will need tocontract/research office will be easier toundertake on their path to compliance.manage than a large system with decentral-To begin, a college or university should form aized responsibilities over contracting, re-working group with representatives from academ-search, and so forth. Review the contracts toics, administration, and research; the group shouldfind language related to compliance require-have top-down support and the sustained engage-ments and references to the data covered.ment of leadership. Take Virginia Tech’s NIST 800-Key questions include the following: What171 working group, for example: The institution’spercentage of your institution’s current re-working group includes senior-level representativessearch portfolio is affected by NIST 800-171from across the university’s IT departments, as wellrequirements? What funding is at stake?as the university’s bursar and registrar, and is joint-–– Determine the value of receiving and usingly sponsored by the university’s VP for research andapplicable data: How does it affect criticalinnovation and the VP for information technology.operations and research? What would hap-7Once formed, the working group should under-pen if the institution were to stop receivingtake the following five phases of work to manageit? This step is important to justify any addi-compliance requirements (see figure 1):tional investment. At this stage, some insti-8

A guide to helping colleges and universities comply with new federal regulationstutions will need to formulate a preliminaryaddress standards and compliance. Next, doestimate of impact and the cost to comply,a crosswalk with any existing standards andand communicate that to senior leadership.regulations that impact the flow of covered Assess the current state of securitydata. Once this is done, compliance with any–– Understand where CUI data resides (in on-outstanding items in the framework needspremise campus systems and in cloud sys-to be reviewed. At the conclusion, undertaketems) and how it’s processed (from the pointan updated assessment of impact (specifi-of receiving through the life cycle): Based oncally on the time, resources, and funds need-the flow of covered data, understand the se-ed to achieve compliance) and communicatecurity measures already in place to complythe results to senior leadership. As costs be-with other regulations and standards. Thiscome clearer, further decisions on costs andwill require getting input from the ownersbenefits can be undertaken. Some institu-of relevant data and processes, as well astions may opt to decline select contracts tofrom IT and security representatives. Atavoid undertaking measures to comply. Develop a plan to achieve compliance andthis point, some institutions may find thatmitigate existing gapsthey have many controls that meet or exceedNIST 800-171 standards. Others may realize–– Define roles and responsibilities to achievethere is significant work ahead and shouldand maintain compliance: Based on the as-perform a gap analysis.sessment’s findings, formalize roles and re-–– Perform a gap analysis against NIST 800-sponsibilities to address gaps (using a plan),171 standards, as needed. Start by interpret-and maintain any controls going forward.ing what NIST 800-171 requires and devel-–– Develop a plan of action to implement gap-oping a conceptual framework of controls tofix measures with reasonable milestones.Figure 1. A road map for NIST 800-171 complianceAnalyze theimpact and scope Determine theapplicable contractsand identify datathat must becontrolled Determine thevalue of receivingand usingapplicable dataAssess the currentstate of security Understand whereCUI data resides(in on-premisescampus systems)and how it’sprocessed (fromthe point ofreceiving throughthe life cycle) Perform a gapanalysis againstNIST 800-171standardsDevelop a plan toachieve complianceand mitigate existinggaps Define roles andresponsibilities toachieve andmaintaincompliance Develop a plan ofaction to implementgap-fix measureswith reasonablemilestonesSource: Deloitte analysis.Establishresponsibilities andefficient processesto achieve sustainedcompliance overthe long haul Deploy communications and training Conduct ongoingself-assessmentsEmploy thirdparties to providea thorough reviewof current practicesacross the entireacademic enterprise Undertake anindependent reviewof current practices Put a process inplace forcontinuousimprovementDeloitte Insights deloitte.com/insights9

NIST Special Publication 800-171 for higher educationIt will be important to lock in appropriatetution has adopted. Existing solutions canfinancial and leadership support to real-help streamline compliance efforts. Manyistically achieve milestones and to main-organizations are adopting governance, risktain new controls over the long term. Themanagement, and compliance tools thatplan must look beyond technical fixes andmap out regulations and control require-consider process and governance-relatedments and can offer dashboards, givingimpacts. At this point, institutions shouldsenior leadership visibility into how risksconsider funding models needed to achieveand compliance requirements are being ad-and maintain compliance over the long term.dressed. Because colleges and universitiesExisting security budgets are unlikely to beface numerous regulations, it is a good ideasufficient to cover these costs. Furthermore,to take an enterprisewide approach to com-as the institution pursues new federal con-pliance with support from technology. Thistracts, each contract should be closely scru-approach is in line with leading practices intinized and its compliance cost assessed.commercial enterprises. Establish responsibilities and efficient Employ third parties to provide a thor-processes to achieve sustained compli-ough review of current practices acrossance over the long haulthe entire academic enterprise–– Deploytraining:–– Undertake an independent review of currentBased on the institution’s plan of action andcommunicationsandpractices. A third-party evaluation can iden-milestones, identify additional parties af-tify an institution’s blind spots; it can alsofected and engage them in communicationshelp gain executive and board-level sup-and training based on requirements.port for addressing any gaps that the review–– Conduct ongoing self-assessments: Put amay reveal.process in place to continually track updatesand to assess the ongoing effectiveness ofLooking aheadexisting controls. Additional gaps may arisebased on new contracts and/or changes toUp to now, many institutions have struggled tothe regulations.understand how to right-size their institution’s se-–– Put a process in place for continuous improvement: Compliance will be an ongoingcurity posture, asking, “Are we too strict?” or, “Areprocess warranting continuous improve-we at risk?” While compliance with NIST 800-171ment. As new technology arises, consideris not without its challenges, the standard sets ahow it can be applied to more efficiently andcommon bar for the industry and helps institutionseffectively address control requirementsdetermine whether their security measures are ap-within the framework of controls an insti-propriate.10

A guide to helping colleges and universities comply with new federal regulationsRecommended readingEDUCAUSE is a higher education technology EDUCAUSE, An Introduction to NIST Specialassociation and the largest community of ITPublication 800-171 for Higher Education Insti-leaders and professionals committed to ad-tutions (April 2016)vancing higher education. The EDUCAUSE Cyber- EDUCAUSE, Information Security Program As-security Program offers a number of resources tosessment Tool (last updated September 2017)help colleges and universities develop and mature EDUCAUSE, Digital Capabilities in Higher Edu-their information security and privacy programs.cation 2016, Information Security Report (forth-Recommended readings pertaining to the topic ofcoming October 2017)this report include: Common Solutions Group, NIST SP 800-171Compliance Template (September 2016)11

NIST Special Publication 800-171 for higher educationENDNOTES1.Gregory C. Wilshusen, “Federal information security: Actions needed to address challenges,” testimony beforethe President’s Commission on Enhancing National Cybersecurity, September 19, 2016.2.Office of Information and Regulatory Affairs, “Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI),” accessed October 18, 2017.3.US Department of Education, Office of Student Financial Aid, “Protecting student information,” July 1, 2016.4.Office of Information and Regulatory Affairs, “Federal Acquisition Regulation.”5.Deloitte EDUCAUSE working group, July 2017.6.Ibid.7.David Brady and T. J. Beckett, “New process and regulations for controlled unclassified information,” VirginiaTech, April 19, 2017.12

A guide to helping colleges and universities comply with new federal regulationsABOUT THE AUTHORSTiffany Dovey FishmanTiffany Dovey Fishman is a senior manager with the Deloitte Center for Higher Education Excellence,responsible for higher education research and thought leadership for Deloitte’s higher education practice.She is on LinkedIn at www.linkedin.com/in/tiffany-fishman-4646133/ and on Twitter @tdoveyfishman.Richard RudnickiRichard Rudnicki is a specialist leader with over 15 years of experience in the Deloitte & Touche CyberRisk practice, focused on delivering cyber risk and regulatory compliance solutions to clients, with a focus on higher education and the public sector.He is on LinkedIn at na Lyn GramaJoanna Lyn Grama directs the EDUCAUSE Cybersecurity Initiative and the IT GRC (governance, risk, andcompliance) program. She is a member of the US Department of Homeland Security’s Data Privacy andIntegrity Advisory Committee.She is on LinkedIn at www.linkedin.com/in/joannagrama and on Twitter @runforserenity.13

NIST Special Publication 800-171 for higher educationACKNOWLEDGEMENTSIn summer 2017, Deloitte and EDUCAUSE convened an expert panel to discuss the implications forhigher education institutions in protecting CUI received from the federal government in institutional ITsystems. Deloitte and EDUCAUSE extend their thanks to the following working group members: AhmedEl-Haggen, CIO and VP for information technology, Coppin State University; Patrick Feehan, information security and privacy director, Montgomery College; Cathy Hubbs, chief information security officer,American University; Randy Marchany, information technology security officer, Virginia Tech; Ed Martin, deputy chief information officer, George Washington University; and Scott Midkiff, CIO and VP forinformation technology, Virginia Tech.Deloitte and EDUCAUSE also wish to extend their thanks to Timothy D. Sands, president of VirginiaTech, and David Swartz, vice president and CIO of American University, who were interviewed as a partof this project.This project would not have been possible without the leadership of Dave Noone. Thanks also go to Susan Grajek, Cole Clark, Allison Eng-Perez, Betty Fleurimond, Justin Williams, Michael Wyatt, SriniSubramanian, and Devin Amato.14

A guide to helping colleges and universities comply with new federal regulationsCONTACTSBetty FleurimondJustin WilliamsManaging director, higher educationSenior managerDeloitte Services LPDeloitte & Touche LLP 1 202 492 1453 1 346 224 mMichael WyattJoanna Lyn GramaPrincipalDirector of cybersecurity and IT GRC programsDeloitte and Touche LLPEDUCAUSE 1 512 771 8062 1 720 406 6769miwyatt@deloitte.comjgrama@educause.eduRichard RudnickiSpecialist leaderDeloitte & Touche LLP 1 313 401 5263rrudnicki@deloitte.com15

NIST Special Publication 800-171 for higher education16

Sign up for Deloitte Insights updates at www.deloitte.com/insights.Follow @DeloitteInsightContributorsEditorial: Matthew Budman, Nikita Garia, Abrar KhanCreative: Kevin WeierPromotion: Haley PearsonArtwork: Alex NabaumAbout Deloitte InsightsDeloitte Insights publishes original articles, reports and periodicals that provide insights for businesses, the public sector andNGOs. Our goal is to draw upon research and experience from throughout our professional services organization, and that ofcoauthors in academia and business, to advance the conversation on a broad spectrum of topics of interest to executives andgovernment leaders.Deloitte Insights is an imprint of Deloitte Development LLC.About this publicationThis publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or itsand their affiliates are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or otherprofessional advice or services. This publication is not a substitute for such professional advice or services, nor should it beused as a basis for any decision or action that may affect your finances or your business. Before making any decision or takingany action that may affect your finances or your business, you should consult a qualified professional adviser.None of Deloitte Touche Tohmatsu Limited, its member firms, or its and their respective affiliates shall be responsible for anyloss whatsoever sustained by any person who relies on this publication.About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private compan

of our higher education clients. ABOUT EDUCAUSE EDUCAUSE (www.educause.edu) is a higher education technology association and the largest community of IT leaders and professionals committed to advancing higher education. Technol-ogy, IT roles and responsibilities, and higher education are dynamically changing. Formed in 1998,

Related Documents:

2.1 NIST SP 800-18 4 2.2 NIST SP 800-30 4 2.3 NIST SP 800-34 4 2.4 NIST SP 800-37 4 2.5 NIST SP 800-39 5 2.6 NIST SP 800-53 5 2.7 NIST SP 800-53A 5 2.8 NIST SP 800-55 5 2.9 NIST SP 800-60 5 2.10 NIST SP 800-61 6 2.11 NIST SP 800-70 6 2.12 NIST SP 800-137 6 3 CERT-RMM Crosswalk of NIST 800-Series Special Publications 7

NIST SP 800-30 – Risk Assessment NIST SP 800-37 – Risk Management Framework NIST SP 800-39 – Risk Management NIST SP 800-53 – Recommended Security Controls NIST SP 800-53A – Security Control Assessment NIST SP 800-59 – National Security Systems NIST SP 800-60 – Security Category Mapping NIST

NIST Risk Management Framework 1. Categorize information system (NIST SP 800-60) 2. Select security controls (NIST SP 800-53) 3. Implement security controls (NIST SP 800-160) 4. Assess security controls (NIST SP 800-53A) 5. Authorize information system (NIST SP 800-37) 6. Monitor security controls (NIST SP 800-137) Source: NIST CSRC, http .

Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX. 11 Industry Standards and Committee Initiatives WIB M2784-X-10 API 1164 ISA 99/IEC 62443 NIST SP 800-82 NIST SP 800-12 NIST SP 800-53 NIST SP 800-53A NIST SP 800-39 NIST SP 800-37 NIST SP 800-30 NIST SP 800-34 ISO 27001,2 ISO 27005 ISO 31000

Apr 08, 2020 · Email sec-cert@nist.gov Background: NIST Special Publication (SP) 800-53 Feb 2005 NIST SP 800-53, Recommended Security Controls for Federal Information Systems, originally published Nov 2001 NIST SP 800-26, Security Self-Assessment Guide for IT Systems, published Dec 2006 NIST SP 800-53, Rev. 1 published July 2008 NIST SP 800-53A, Guide for

DIACAP (May 2009 –October 2014) RMF (Strongly based on NIST 800-37 and 800-53) (October 2014 –Present) NIST 800-171 (RMF still in place, but NIST 800-171 required NLT 31 December 2017 for DoD contractors and subcontractors**)

This document completes the NIST trilogy of IT security program-level guidance. The planning guide is intended to be a companion to NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook (Handbook) and NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing

NIST 800-53 Compliance Controls 1 NIST 800-53 Compliance Controls The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning to the NIST 800-53 controls with McAfee