National Institute of Standards and Technology

Overview
Founded in 1901, the National Institute of Standards and Technology (NIST) is a non-regulatory, federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Responsiblities
NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and in managing cost-effective programs to protect their information and information systems.


 * Federal Information Processing Standards (FIPS) are developed by NIST in accordance with FISMA. FIPS are approved by the Secretary of Commerce and are compulsory and binding for federal agencies. Since FISMA requires that federal agencies comply with these standards, agencies may not waive their use.
 * Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800-series. Office of Management and Budget (OMB) policies (including OMB FISMA Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management) state that for other than national security programs and systems, agencies must follow NIST guidance.
 * Other security-related publications, including NIST interagency and internal reports (NISTIRs) and ITL Bulletins, provide technical and other information about NIST's activities. These publications are mandatory only when so specified by OMB.

Schedule for compliance with NIST standards and guidelines

 * For legacy information systems, agencies are expected to be in compliance with NIST security standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST.
 * For information systems under development, agencies are expected to be in compliance with NIST security standards and guidelines immediately upon deployment of the system.

Programs
NIST carries out its mission in four cooperative programs:


 * the NIST Laboratories, which conducts research to advance the nation's technology infrastructure and assist U.S. industry to continually improve products and services;
 * the Baldrige National Quality Program, which promotes performance excellence among U.S. manufacturers, service companies, educational institutions, and health care providers; conducts outreach programs and manages the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement;
 * the Hollings Manufacturing Extension Partnership, a nationwide network of local centers offering technical and business assistance to smaller manufacturers; and
 * the Technology Innovation Program, which provides cost-shared awards to industry, universities and consortia for research on potentially revolutionary technologies that address critical national and societal needs.
 * Between 1990 and 2007, NIST also managed the Advanced Technology Program.

The agency operates in two locations: Gaithersburg, Md. (headquarters: 578-acre campus) and Boulder, Colo. (208-acre campus).

General
NIST:


 * Chairs (since as early as 2002) and participates in multiple U.S. technical advisory groups to JTC-1 that have developed or are developing standards related to security evaluation techniques, identity management, identification card and smart card interoperability, cloud computing, biometrics, and cryptography.
 * Participates in ITU-T study group efforts via the joint standards development project with ISO-IEC JTC-1.
 * Serves as editor and area director while contributing to IETF standards efforts, including multiple efforts related to Internet Protocol version 6.
 * Serves as editor and otherwise contributes to IEEE 802. Provides guidance to organizations for implementing wireless networks standards.

FISMA
To help implement the provisions of FISMA for non-national security systems, NIST has developed a risk management framework for agencies to follow in developing information security programs. The framework is specified in NIST Special Publication (SP) 800-37, revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, which provides agencies with guidance for applying the risk management framework to federal information systems.

The framework in SP 800-37 consists of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. It also provides a process that integrates information security and risk management activities into the system development life cycle. Figure 1 provides an illustration of the framework and notes relevant security guidance for each part of the framework.