Home | Resources | Articles

NIST Cybersecurity Framework

NextLabs helps organizations meet the security requirements of the National Institute of Standards and Technology (NIST). In particular, NIST has published several documents, each of which focuses on a different facet of security. NextLabs addresses many of the requirements of these publications as noted below.

NextLabs is a member of the NIST National Cybersecurity Excellence Partnership (NCEP) program.

NCEP partners have pledged to provide hardware, software and expertise to support NIST’s efforts to advance rapid adoption of secure technologies. In addition to contributing equipment and other products to the NCCoE’s test environments, companies may designate guest researchers to work at the center, in person or remotely.

NIST SP 800-53 Revision 5

This document details a framework to protect an organization and its assets from a range of threats, including cyberattacks, insider threats, application security, supply chain risks, and human error, among others. NextLabs helps organizations meet various access control requirements, including enforcement of least privilege/need-to-know, dynamic privilege management, and usage controls on features such as Edit, Print, Reshare, and Extract.

NIST SP 800-162

This paper defines of attribute based access control (ABAC). NextLabs was selected by NIST to help define the core capabilities and benefits of ABAC. ABAC is an access control model where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.

NIST SP 800-171

NIST SP 800-171 sets forth the minimum security standards for all Department of Defense contractors that process, store, or transmit Controlled Unclassified Information (CUI). NextLabs helps organizations safeguard the information that resides in or transits through covered contractor information systems and the reporting of cyber incidents.

NIST SP 800-178

In this document, titled “A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC),” NIST describes how these are very different attribute based access control standards with similar goals and objectives. The goal of both models is to provide a standardized way for expressing and enforcing a multitude of access control policies on various types of data services. The two standards differ with respect to the manner in which access control policies are specified, managed, and enforced.

NIST SP 1800-2

NIST SP 1800-2 covers how energy companies need to control physical and logical access to their resources, including buildings, equipment, information technology (IT), and operational technology (OT) to protect power generation, transmission, and distribution. They must implement technology to authenticate authorized individuals to the devices and facilities to which the companies are giving them access rights to with a high degree of certainty.

NIST SP 1800-3

Like SP 800-162 this document focuses on ABAC, however it includes the involvement of the National Cybersecurity Center of Excellence (NCCoE) and their example of an advanced access control system. The NCCoE practice guide in this paper details a collaborative effort between the NCCoE and technology providers to demonstrate a standards-based approach to attribute based access control. This guide also discusses potential security risks facing organizations, benefits that may result from the implementation of an ABAC system, and the approach the NCCoE took in developing a reference architecture and build.

NIST SP 1800-9

This paper discusses access rights management for the financial services sector. Financial services firms are complex organizations with several internal systems managing sensitive financial and customer data. These internal systems are typically independent of each other, which makes centralized management and oversight challenging. In collaboration with the financial services community and technology collaborators, the National Cybersecurity Center of Excellence (NCCoE) developed SP 1800-9 which uses standards-based, commercially available technologies and industry best practices to help financial services companies provide a more secure and efficient way to manage access to data and system.

NIST SP 800-207

This special publication discusses the core logical components that make up a zero trust architecture (ZTA) network strategy. Zero trust refers to an evolving set of network security paradigms that narrow defenses from wide network perimeters to individuals or small groups of resources. Its focus on protecting resources rather than network segments is a response to enterprise trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary.

Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Capability Maturity Model (CMMC) certification is the US Government’s solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) recognizes that all contractors are not alike, as well as the nature of how subcontractors are used. The CMMC is a tiered model that addresses every business in the DIB, from the largest contractors down to small subcontractors (e.g., IT service providers, bookkeepers, janitorial services, etc.) that could impact CUI.

One common misconception is that CMMC compliance is the same thing as NIST SP 800-171. That is not entirely true, especially in the higher levels of CMMC that include requirements from frameworks other than NIST SP 800-171.

One common misconception is that CMMC compliance is the same thing as NIST SP 800-171. That is not entirely true, especially in the higher levels of CMMC that include requirements from frameworks other than NIST SP 800-171.

  • CMMC Level 1: This is essentially addressing FAR 52.204-21 cybersecurity principles.
  • CMMC Level 2: This builds on CMMC Level 1 and addresses a little over half of NIST 800-171 controls.
  • CMMC Level 3: This builds on CMMC Level 2 and addresses all NIST 800-171 and a few extras.
  • CMMC Levels 4 & 5: CMMC Levels 4 & 5 build off CMMC Level 3 and include controls from a range of frameworks:
    • CERT RMM v1.2
    • NIST SP 800-53
    • NIST SP 800-172
    • ISO 27002
    • CIS CSC 7.1

To comment on this post
Login to NextLabs Community

NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.

NIST Cybersecurity Framework

Stay ahead of the curve

The NIST Cybersecurity Framework is a set of guidelines developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce their cybersecurity risk. The framework is designed to provide a flexible and customizable approach to cybersecurity, regardless of an organization’s size, industry, or level of cybersecurity maturity. The framework is organized into five core functions: Identify, Protect, Detect, Respond, and Recover. 

Implementing Data Security using Attribute Based Access Control (ABAC)

Discover how Attribute Based Access Control (ABAC) provides a robust, data security solution that keeps pace with the demands of your extended enterprise

NIST ABAC Overview

Learn how NextLabs partnered with e National Cybersecurity Center of Excellence (NCCoE) to address the challenge of implementing Attribute Based Access Control (ABAC)

Applying Zero Trust Principles to NIST 800-53

Discover how zero trust principles can be applied to NIST 800-53 to safeguard applications and data from a diverse range of threats

A NIST Cybersecurity Framework approach addresses:

Increasing sophistication of cyber threats

Proliferation of connected devices and systems

Growing complexity of regulatory requirements

By providing a flexible and customizable approach to cybersecurity, the framework enables organizations to prioritize their cybersecurity efforts and to align them with their business objectives. Additionally, the framework provides a common language and set of standards that enable organizations to collaborate and share best practices, thereby improving overall cybersecurity readiness across industries and sectors.

Why NIST Cybersecurity Framework ?

Key characteristics of the NIST Cybersecurity Framework (CSF) :

  • Flexible: It can be applied to a wide range of organizations, regardless of their size, sector, or cybersecurity maturity.
  •  Adaptable: Organizations can tailor the framework to their specific needs and risk profile.
  • Scalable: It can be used to manage cybersecurity risk across a single organization or across an entire industry or sector.

Another important characteristic of the NIST CSF is its focus on risk management. The framework is designed to help organizations identify, assess, and prioritize their cybersecurity risks so that they can implement effective controls and mitigations to manage those risks. This approach enables organizations to focus their cybersecurity efforts on the areas of greatest risk and to allocate their resources more effectively.

By providing a common language and set of standards, the framework also facilitates collaboration and information sharing across industries and sectors, thereby improving overall cybersecurity readiness.

NextLabs Solution

The NextLabs Data-Centric Security suite of products are designed to help organizations implement the NIST Cybersecurity Framework and manage their cybersecurity risks effectively.  

Secure applications, API, & microservices access, externalize entitlement, protect data, & simplify access management

Persistent protection of critical files stored and shared anywhere, cloud payload, and endpoint device

Zero Code Approach to protect data & secure access independent of application with data masking, FPE, & data segregation

Secure applications, API, & microservices access, externalize entitlement, protect data, & simplify access management

Persistent protection of critical files stored and shared anywhere, cloud payload, and endpoint device

Zero Code Approach to protect data & secure access independent of application with data masking, FPE, & data segregation

The NextLabs solution enables organizations to implement the NIST CSF’s core functions and subcategories and is highly customizable, enabling organizations to tailor it to their specific needs and risk profile. Additionally, the solution provides a range of reporting and analytics capabilities that enable organizations to monitor and measure their cybersecurity performance and to demonstrate compliance with regulatory requirements. 

NextLabs’ Data-Centric Security Suite is designed to help organizations protect their sensitive data throughout its lifecycle, from creation to deletion, at rest, within applications, and on the move. By providing data-centric security that helps organizations implement the NIST CSF, NextLabs enables organizations to prioritize their data protection efforts and to align them with their overall cybersecurity strategy.  

Intelligent Enterprise

Implementation of the NIST Cybersecurity Framework allows organizations to make the transition to intelligent enterprises without compromising on data securityThe best practices defined by NIST provide a guide for organizations as they plan their migrations to more digitized operations, and as they collaborate more using shared resourcesThe framework’s implementation tiers also provide a roadmap for organizations to measure their progress and continually improve their cybersecurity.  This structure makes it easier for organizations to implement the changes to become more intelligent than if they had to develop cybersecurity plans from scratch. 

NextLabs Resources