Individually standards provide guidance on how to implement a single aspect of information security such as disaster recovery, or security controls. Standards altogether combined provide for a framework, that is. For example, the ISO 27000 series of standards constitute a framework.
National Institute for Standards and Technology (NIST) Risk Management Framework (RMF): One U.S. standards-based federal agency is the National Institute for Standards and Technology (NIST). NIST creates standards for cyber-security operations for federal agencies. Like the ISO-series documents, NIST documents individually may be considered standards, but in total these combined standards form a framework known as the NIST Risk Management Framework (RMF). Whereas adherence to the NIST RMF is mandated by FISMA (remember FISMA above?), non-U.S. government organizations are not required to adhere to these standards. Nonetheless, such organizations may choose to adhere to the NIST RMF because of the completeness, comprehensiveness and their free and publicly available publications. Within the NIST RMF, NIST has published dozens of documents to help organizations understand and attain compliance with the NIST RMF. Such Publications include: NIST Federal Information Processing Standards (FIPS) documents and NIST Special Publications (SPs). Charged by law with responsibility for information security standards, NIST develops standards and practices to improve performance and metrics, tests, and various other means to support U.S. agencies' missions. NIST Issues special publications (SPs), federal information processing standards (FIPS), Information Technology Laboratory (ITL) Bulletins, NIST Interagency or Internal Report (NISTIRs) and other guidance. What are these publications?
FIPS Documents: Fips documents are published to support the FISMA, list requirements for U.S. federal agencies for information security compliance. As they are documents that support the FISMA law, U.S. federal agencies are legally obliged to comply with the requirements stated in FIPS documents. Two important FIPS documents are:
- FIPS 199: Standard for Categorization of Federal Information Systems – in brief, the requirement for federal agencies to identify the level of risk or “categorization” of risk. FIPS 199 defines three impact levels (high, moderate and low) for the three information security objectives (confidentiality, integrity, availability).
- FIPS 200: Standard for Minimum Security Requirements For Federal Information And Information Systems – Defines 17 (an 18th was added later) security-related areas or “families” that include management, operational and technical controls to mitigate the risk categories identified in FIPS 199.
NIST SPs: NIST Special Publications document a variety of standards to create an overall security framework called the NIST Risk Management Framework (RMF). NISP special publications are not mandated by law, but rather are standards for creating the NIST RMF. Some import NIST RMF documents include:
- NIST SP 800-18 – Guide for Developing Security Plans for Information Technology Systems.
- NIST SP 800-30 – Guide for Conducting Risk Assessments.
- NIST SP 800-37r2 – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
- NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View.
- NIST SP 800-53r4 – Security and Privacy Controls for Federal Information Systems and Organizations.
- NIST SP 800-53Ar4 – Guide for Assessing the Security Controls in Federal Information Systems.
- NIST SP 800-60 – Guide for Mapping Types of Information and Information Systems to Security Categories.
- NIST SP 800-137 – Information security Continuous Monitoring (CM) for Federal Information Systems and Organizations.
There are literally dozens of other NIST special publications that in total provide guidance to comply with the NIST RMF.
Which Standards or Frameworks Should an Organization Attain? For U.S. federal agencies, FISMA mandates the implementation of the NIST RMF. For other organizations, they can choose to implement a security program based on the ISO 27000 series, the NIST RMF or even both. There are even documents that map the ISO 27001 series framework to the NIST RMF.