Vice President, Operations
Overview of the NIST Special Publications 800 Series (NIST SP)The National Institute of Standards and Technology (NIST) Special Publications are widely used by organizations in the public and private sectors to improve their cybersecurity posture and ensure compliance with applicable laws, regulations, and policies. NIST uses three subseries for publishing computer, cyber, and information security guidelines, recommendations, and reference materials. They include:
- SP 800 Series (December 1990-present):
- NIST’s main channel for releasing computer, cyber, and information security guidelines, recommendations, and reference materials
- SP 800 Series (2015-present):
- A new subseries that complements SP 800
- Addresses specific cybersecurity challenges in public and private sectors
- Offers practical and user-friendly guides to facilitate the adoption of standards-based cybersecurity approaches.
- SP 500 Series (January 1977-present):
- Before introducing the SP 800 subseries, NIST used the SP 500 subseries for computer security publications.
What are the most widely used NIST Special Publications by federal agencies?There are over 200 special publications in the NIST SP 800 series, but this number fluctuates as new publications are added and old ones are updated or retired. (Such as SP 800-1, released in 1990 when modem speeds were a blistering 14.4 kilobits per second.) Not all are How-To-Manuals. Some are annual reports of NIST’s cybersecurity activities.
NIST SP 800-39“Managing Information Security Risk: Organization, Mission, and Information System View” This publication provides direction for establishing a comprehensive, organization-wide program dedicated to the management of information security risks. The program is designed to tackle risks associated with organizational operations, including mission, functions, image, and reputation, as well as risks to organizational assets, individuals, other entities, and the nation stemming from the operation and utilization of federal information systems. The guidance on information security risk management is supplementary and can be integrated into a broader Enterprise Risk Management (ERM) initiative. Its intentional design is deliberately all-encompassing, focusing on information security risks primarily arising from the operation and utilization of information technologies. First Published: Mar. 2011 Download
NIST SP 800-53“Security and Privacy Controls for Information Systems and Organizations” First published in 2005, NIST SP 800-53 has undergone several revisions in response to the evolving landscape. A catalog of security and privacy controls is provided designed for federal information systems, excluding those pertaining to national security. These controls are indispensable for federal agencies, enabling the development and implementation of a risk-based approach to manage information security risks effectively. It can meet the wide-ranging security requirements imposed on information systems and organizations. These controls are designed to be consistent with and complementary to other established information security standards. Revision 5, released in September 2020, introduced substantial changes, including removing the term “federal,” extending the applicability of these regulations to all organizations. These controls can address diverse security requirements for information systems and organizations while aligning with established information security standards. You can find out more here about how it’s used. First Published: Feb. 2005 Download (Revision 5 Crosswalk) Related Documentation: Mapping Document (XLSX)
NIST SP 800-37“Guide for Applying the Risk Management Framework to Federal Information Systems” This framework offers a methodical yet adaptable framework for overseeing information security risk.at the organization, mission/business process, and information system levels. Its main objective is to offer a risk management framework that allows organizations to effectively assess and manage risks associated with their data security and privacy risks. For our teams, NIST SP 800-37 provides guidelines for selecting appropriate security controls from NIST SP 800-53 based on the identified risk levels and the organization’s security requirements. First Published: Feb. 2010 Download Related Documentation: Mapping Document (XLSX)