Home | Intelligent Enterprise | NIST CSF | NIST Standards & Best Practices
Standards & Best Practices
Strengthen cybersecurity with NIST standards & best practices
Aside from the Cybersecurity Framework (CSF), NIST also provides companies with special publications (SP), each of which focuses on a different facet of security. These special publications help introduce technologies that can be used as part of the Cybersecurity Framework.
As a member of the NIST National Cybersecurity Excellence Partnership (NCEP) program, NextLabs helps to address many of the requirements of these publications as noted below.
Highlighted NIST Special Publications
- NIST SP 800-53 Revision 5: This document details a framework to protect an organization and its assets from a range of threats, including cyberattacks, insider threats, application security, supply chain risks, and human error, among others. NextLabs helps organizations meet various access control requirements, including enforcement of least privilege/need-to-know, dynamic privilege management, and usage controls on features such as Edit, Print, Reshare, and Extract.
- NIST SP 800-63-4: This document on Digital Identities Guidelines provides the technical requirements for federal agencies implementing digital identity services. The guidelines discuss identity proofing and authentication of users interacting with government information systems over networks. It also defines the technical requirements of identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions.
- NIST SP 800-162: This paper defines attribute based access control (ABAC). NextLabs was selected by NIST to help define the core capabilities and benefits of ABAC. ABAC is an access control model where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.
- NIST SP 800-171: NIST SP 800-171 sets forth the minimum security standards for all Department of Defense (DoD) contractors that process, store, or transmit Controlled Unclassified Information (CUI). NextLabs helps organizations safeguard the information that resides in or transits through covered contractor information systems and the reporting of cyber incidents.
- NIST SP 800-178: In this document, titled “A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC),” NIST describes how these are very different attribute-based access control standards with similar goals and objectives. The goal of both models is to provide a standardized way for expressing and enforcing a multitude of access control policies on various types of data services. The two standards differ with respect to the manner in which access control policies are specified, managed, and enforced.
- NIST SP 800-205: This document provides federal agencies with guidance on how to implement attributes in access control systems. Additionally, the document describes the factors that influence attributes which an authoritative body must address when standardizing an attribute system and proposes some notional implementation suggestions for consideration.
- NIST SP 800-207: This special publication discusses the core logical components that make up a zero trust architecture (ZTA) network strategy. Zero trust refers to an evolving set of network security paradigms that narrow defenses from wide network perimeters to individuals or small groups of resources. Its focus on protecting resources rather than network segments is a response to enterprise trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary.
- NIST SP 1800-2: NIST SP 1800-2 covers how energy companies need to control physical and logical access to their resources, including buildings, equipment, information technology (IT), and operational technology (OT) to protect power generation, transmission, and distribution. They must implement technology to authenticate authorized individuals to the devices and facilities to which the companies are giving them access rights to with a high degree of certainty.
- NIST SP 1800-3: Like SP 800-162 this document focuses on ABAC, however it includes the involvement of the National Cybersecurity Center of Excellence (NCCoE) and their example of an advanced access control system. The NCCoE practice guide in this paper details a collaborative effort between the NCCoE and technology providers to demonstrate a standards-based approach to attribute-based access control. This guide also discusses potential security risks facing organizations, benefits that may result from the implementation of an ABAC system, and the approach the NCCoE took in developing a reference architecture and build.
- NIST SP 1800-9: This paper discusses access rights management for the financial services sector. Financial services firms are complex organizations with several internal systems managing sensitive financial and customer data. These internal systems are typically independent of each other, which makes centralized management and oversight challenging. In collaboration with the financial services community and technology collaborators, the National Cybersecurity Center of Excellence (NCCoE) developed SP 1800-9 which uses standards-based, commercially available technologies and industry best practices to help financial services companies provide a more secure and efficient way to manage access to data and system.
- NIST SP 1800-39A: This publication helps organizations reduce the risk of data breaches, loss, and mishandling of information with data-centric security. It demonstrates how to discover and classify data based on characteristics regardless of where the data resides or is shared.