1.2: Why use NIST?

Last updated
Save as PDF

Page ID: 84559

Thomas P. Dover
Butler County Community College

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

Five reasons for using NIST publications:

NIST publications are processes & practices for federal government agencies to follow regarding Cybersecurity. Organizations partnering with the federal government are obligated to adopt these standards. Moreover, many organizations (public and private) adopt and adapt NIST standards for their own Cybersecurity and Risk Management programs.
NIST is often cited in federal laws, regulations, orders and statutes¹ as a source for Cybersecurity guidance. It is also cited by federal Departments² and agencies when promulgating rules and regulations governing specific critical sectors (e.g., manufacturing, health, finance).
NIST publications are used by private businesses and commercial vendors for the development of custom Cybersecurity and risk assessment programs. Some professional certifications in Cybersecurity are based on NIST standards.
NIST publications serve as an authoritative source for industry Cybersecurity “Best Practices”.
NIST publications are often cited in regulatory or legal proceedings as the basis for a company or organization’s Cybersecurity strategy or Risk Management Program.

[1] Examples include IoT Cybersecurity Improvement Act of 2020, passed in December, 2020; HIPAA Safe Harbor Act, an amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH), signed into law in January, 2021; and Executive Order 14028 (Improving the Nation’s Cybersecurity), signed May 12, 2021.

[2] An example is the Department of Health and Human Services (HIPAA). See https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?language=es for an example of NIST citation.