Government Contracting by — NIST Publication

Provides a broad overview of information security for federal information systems. Introduces fundamental concepts, the NIST security framework, security governance, and the relationship between NIST publications. Serves as an entry point for understanding federal cybersecurity requirements.

Provides guidance on conducting risk assessments as part of the Risk Management Framework. Covers threat identification, vulnerability analysis, likelihood determination, impact analysis, and risk determination. Defines a risk model with threat sources, events, vulnerabilities, and predisposing conditions.

Defines the seven-step Risk Management Framework (RMF): Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Rev. 2 aligned RMF with the NIST Cybersecurity Framework and privacy risk management, and added the Prepare step for organization-wide readiness.

Establishes a three-tier risk management approach: organizational, mission/business process, and information system levels. Provides the strategic framework within which SP 800-37 (RMF) and SP 800-30 (risk assessment) operate.

Provides guidance on creating and maintaining an enterprise patch management program. Rev. 4 shifted focus from individual system patching to enterprise-level risk-based strategies, addressing the reality that organizations cannot patch everything immediately.

Provides recommendations for configuring and managing firewalls, including packet filtering, stateful inspection, application proxy, and dedicated proxy servers. Covers firewall planning, policy creation, and management best practices.

Provides guidance on securing remote access technologies including VPN, remote desktop, and direct application access. Covers BYOD security policies, mobile device management, and telework security planning for enterprise environments.

Provides guidance on managing security when connecting IT systems between different organizations. Covers Interconnection Security Agreements (ISAs), Memoranda of Understanding (MOUs), and risk management for system interconnections.

Provides guidance for building and maintaining an IT security awareness and training program. Covers needs assessment, program development, training material creation, and program evaluation. Emphasizes role-based training tailored to different user populations.

The comprehensive catalog of security and privacy controls for federal information systems. Contains over 1,000 controls across 20 families. Rev. 5 integrated privacy controls alongside security controls for the first time and made the catalog outcome-based rather than system-specific.

Provides assessment procedures for the controls in SP 800-53. Defines methods (examine, interview, test) and objects for each control, enabling consistent and repeatable assessments. Used by auditors, assessors, and organizations to evaluate control effectiveness.

Establishes three security control baselines (Low, Moderate, High) and one privacy baseline for federal information systems. Defines which SP 800-53 controls apply at each impact level per FIPS 199 categorization.

Provides comprehensive guidance on cryptographic key management including key generation, distribution, storage, use, revocation, and destruction. Defines key types, key states, and recommended key lifetimes for various cryptographic algorithms.

Provides guidance for mapping information types to security categories (confidentiality, integrity, availability) per FIPS 199. Appendices catalog hundreds of information types with recommended impact levels, enabling consistent system categorization across the federal government.

Provides guidance on establishing and operating an incident response capability. Rev. 3 emphasizes coordination, information sharing, and updated guidance for modern threats. Covers preparation, detection, analysis, containment, eradication, recovery, and post-incident activity.

Comprehensive guidelines for digital identity services. Defines three assurance levels for identity proofing (IAL), authentication (AAL), and federation (FAL). Rev. 4 introduced risk-based approaches and expanded phishing-resistant authenticator requirements.

Defines requirements for identity proofing at three assurance levels (IAL1-3). Covers evidence collection, validation, verification, and address confirmation. Rev. 4 added equity considerations and expanded remote proofing options.

Defines authentication requirements at three assurance levels (AAL1-3). Covers authenticator types (passwords, OTP, FIDO2, PKI), session management, and lifecycle events. Rev. 4 deprecated SMS-only authentication and emphasized phishing-resistant methods.

Provides guidance on securing industrial control systems (ICS), SCADA systems, and other operational technology. Rev. 3 broadened scope to all OT and updated guidance for converged IT/OT environments, including threat landscape, risk management, and security architecture.

Provides guidance on sanitizing media (clearing, purging, destroying) before disposal or reuse. Defines sanitization methods for different media types including magnetic, flash, optical, and paper. Includes decision flow charts for selecting appropriate sanitization methods.

Provides guidance for information security program managers on establishing and managing an information security program. Covers governance, planning, budgeting, risk management, certification and accreditation, and performance measurement.

Provides guidance on planning and conducting technical security testing, including vulnerability scanning, penetration testing, and security assessment. Covers testing techniques, target identification, analysis methods, and reporting of findings.

Provides guidance on protecting PII held by federal agencies. Defines PII, establishes confidentiality impact levels, and recommends safeguards for PII in storage, transit, and disposal. Covers operational and privacy-specific safeguards.

Provides guidance on securing server operating systems and server software. Covers OS hardening, patch management, access control, logging, and backup. Addresses both initial deployment security and ongoing server maintenance.

Provides recommendations for securing mobile devices used in enterprise environments. Rev. 2 covers modern mobile threats, mobile device management (MDM), mobile threat defense, and zero-trust approaches to mobile security.

Provides guidance on securing virtualization technologies including hypervisors, virtual machines, and virtual networks. Covers guest OS hardening, hypervisor security, virtual network configuration, and image management.

Provides guidance on establishing and maintaining secure configurations for federal information systems. Covers configuration management planning, baseline configuration, change control, monitoring, and security impact analysis of configuration changes.

Provides transition guidance for moving from legacy to stronger cryptographic algorithms. Specifies minimum key lengths, deprecated algorithms, and timelines for transitioning. Addresses the sunset of SHA-1, 1024-bit RSA, and other weakening algorithms.

Defines the ISCM process for maintaining ongoing awareness of information security, vulnerabilities, and threats. Establishes the monitoring strategy, metrics, frequencies, and reporting requirements to support risk-based security decisions.

Provides guidance on the security and privacy challenges of public cloud computing. Covers governance, compliance, trust, identity management, data protection, and incident response considerations specific to cloud environments.

Establishes the canonical definition of cloud computing used across the federal government. Defines five essential characteristics, three service models (IaaS, PaaS, SaaS), and four deployment models (public, private, hybrid, community).

Provides guidance on establishing and participating in cyber threat information sharing relationships. Covers threat indicators, defensive measures, sharing architectures (STIX/TAXII), and trust models for sharing sensitive threat intelligence.

Provides guidelines for issuing derived PIV credentials on mobile devices and other platforms where traditional PIV cards cannot be used. Enables strong authentication for mobile users while maintaining PIV assurance levels.

Addresses security from a systems engineering perspective, integrating security into every phase of the system development life cycle. Provides engineering-driven solutions for building trustworthy, resilient systems rather than bolt-on security.

Provides guidance on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain. Rev. 1 expanded coverage to include software supply chain security, supplier assessment frameworks, and integration with the C-SCRM lifecycle.

Defines 110 security requirements for protecting CUI when it resides in nonfederal systems. This is the cornerstone of the CMMC framework and DFARS 252.204-7012 compliance. Rev. 3 restructured controls to align with SP 800-53 Rev. 5.

Defines assessment procedures for the 110 CUI security requirements in SP 800-171. Provides specific examination, interview, and testing methods for each requirement, enabling consistent evaluation of contractor compliance.

Defines enhanced security requirements beyond SP 800-171 for CUI associated with critical programs or high-value assets. Addresses advanced persistent threats (APTs) with requirements for penetration-resistant architecture, damage-limiting operations, and cyber resiliency.

Provides guidance on selecting and implementing NIST-approved cryptographic algorithms and protocols. Covers symmetric encryption (AES), hashing (SHA), digital signatures (RSA, ECDSA), key establishment, and random number generation.

Establishes a common lexicon for describing cybersecurity work through Tasks, Knowledge, and Skills (TKS). Defines work roles, competency areas, and capability indicators. Used for workforce development, training, recruitment, and retention across the cybersecurity field.

Provides a conceptual framework for understanding IoT composed of five building blocks: sensor, aggregator, communication channel, external utility, and decision trigger. Analyzes trust, security, privacy, safety, and reliability considerations for IoT deployments.

Provides guidance on de-identifying government datasets to enable open data sharing while protecting individual privacy. Covers statistical disclosure limitation, data masking, synthetic data generation, and risk assessment for re-identification.

Defines zero trust architecture (ZTA) principles and deployment models. Zero trust assumes no implicit trust based on network location and requires continuous verification of every user, device, and transaction. Describes logical components and deployment approaches.

Provides access control guidance specific to cloud service models (IaaS, PaaS, SaaS). Covers identity federation, role-based access, attribute-based access, and shared responsibility considerations for access control in multi-tenant environments.

Establishes security requirements for IoT devices used by federal agencies. Defines device cybersecurity capabilities (identification, configuration, data protection, logical access, software update, event logging) and non-technical supporting capabilities.

Defines practices for secure software development throughout the SDLC. Organized into four groups: Prepare the Organization, Protect the Software, Produce Well-Secured Software, and Respond to Vulnerabilities. EO 14028 mandates SSDF attestation for software sold to the government.

Defines four levels of security requirements for cryptographic modules used by federal agencies. Covers module specification, module interfaces, roles/services, physical security, software/firmware security, operating environment, key management, EMI/EMC, self-tests, and design assurance.

The successor to FIPS 140-2, aligning with ISO/IEC 19790:2012 and ISO/IEC 24759:2017. Maintains four security levels but modernizes requirements for contemporary cryptographic implementations. All new validations after April 2022 must use FIPS 140-3.

Establishes security categories for federal information and information systems based on potential impact (Low, Moderate, High) across three security objectives: confidentiality, integrity, and availability. The categorization determines the security control baseline from SP 800-53B.

Specifies minimum security requirements across 17 security-related areas for federal information systems based on FIPS 199 categorization. Links to SP 800-53 for the specific controls that satisfy each requirement area.

Establishes requirements for a government-wide standard for secure and reliable identification and authentication of federal employees and contractors. Defines the PIV credential (smart card), biometric requirements, PKI certificates, and lifecycle management processes.

Specifies algorithms for generating and verifying digital signatures: RSA, DSA, and ECDSA. Defines key pair generation, signature generation, and signature verification processes. FIPS 186-5 updated to remove DSA for signature generation and added EdDSA.

Specifies the Advanced Encryption Standard (AES) algorithm, a symmetric block cipher for encrypting and decrypting data. Supports key lengths of 128, 192, and 256 bits. AES is the most widely used encryption algorithm in federal systems.

Specifies the SHA-3 family of hash functions based on the Keccak algorithm. Provides four hash functions (SHA3-224, SHA3-256, SHA3-384, SHA3-512) and two extendable-output functions (SHAKE128, SHAKE256) as alternatives to SHA-2.

The NIST Cybersecurity Framework provides a common language for managing cybersecurity risk. Version 2.0 added a Govern function alongside Identify, Protect, Detect, Respond, and Recover. Expanded scope beyond critical infrastructure to all organizations.

Provides a voluntary framework for managing risks associated with AI systems. Organized around four functions: Govern, Map, Measure, and Manage. Addresses trustworthiness characteristics including safety, fairness, explainability, privacy, and security.

Companion to AI RMF addressing unique risks of generative AI systems including hallucination, bias amplification, intellectual property concerns, and information security risks. Provides specific actions for managing generative AI risks across the govern-map-measure-manage functions.