Founded in 1901 as the National Bureau of Standards (NBS) and renamed by the Omnibus Trade and Competitiveness Act of 1988, the National Institute of Standards and Technology (NIST) is a non-regulatory, federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
The NIST is directed to offer support to the private sector for the development of precompetitive generic technologies and the diffusion of government-developed innovation to users in all segments of the American economy. Laboratory research is to provide measurement, calibration, and quality assurance techniques that underpin U.S. commerce, technological progress, improved product reliability, manufacturing processes, and public safety.
NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and in managing cost-effective programs to protect their information and information systems.
- Federal Information Processing Standards (FIPS) are developed by NIST in accordance with FISMA. FIPS are approved by the Secretary of Commerce and are compulsory and binding for federal agencies. Since FISMA requires that federal agencies comply with these standards, agencies may not waive their use.
- Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800-series. Office of Management and Budget (OMB) policies (including OMB FISMA Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management) state that for other than national security programs and systems, agencies must follow NIST guidance.
- Other security-related publications, including NIST interagency and internal reports (NISTIRs) and ITL Bulletins, provide technical and other information about NIST's activities. These publications are mandatory only when so specified by OMB.
- NIST is also responsible for administering the United States Configuration Baseline, which is an initiative to create security configuration baselines for information technology (IT) products deployed across federal agencies.
The responsibilities of the NIST for information technology standards were refined by the National Technology Transfer and Advancement Act of 1995, which established a preference for commercially-developed standards. NIST is also responsible under E.O. 13011 for the "standards responsibilities under the Computer Security Act of 1987." NIST works with national and international standard-setting organizations and adopts voluntary standards for Government specification.
Schedule for compliance with NIST standards and guidelines
- For legacy information systems, agencies are expected to be in compliance with NIST security standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST.
- For information systems under development, agencies are expected to be in compliance with NIST security standards and guidelines immediately upon deployment of the system.
NIST carries out its mission in four cooperative programs:
- the NIST Laboratories, which conducts research to advance the nation's technology infrastructure and assist U.S. industry to continually improve products and services;
- the Baldrige National Quality Program, which promotes performance excellence among U.S. manufacturers, service companies, educational institutions, and health care providers; conducts outreach programs and manages the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement;
- the Hollings Manufacturing Extension Partnership, a nationwide network of local centers offering technical and business assistance to smaller manufacturers; and
- the Technology Innovation Program, which provides cost-shared awards to industry, universities and consortia for research on potentially revolutionary technologies that address critical national and societal needs.
- Between 1990 and 2007, NIST also managed the Advanced Technology Program.
The NIST got involvement in computer and communication security in the late 1970s and early 1980s in what is now known as the National Computer Systems Laboratory (NCSL) (formerly the "Institute for Computer Sciences and Technology").
The NIST's involvement in computer security has most often resulted in the publication of federal standards or guidelines on topics such as password protection, audit, risk analysis, and others that are important to the use of computers but do not necessarily relate to the technical aspects of protection within computer systems. These documents, formally known as Federal Information Processing Standards (FIPS) publications, are widely used within the civilian government as the basis for computer processing and computer system procurement.
NIST has also issued other, tutorial publications to enhance awareness in government, in particular, of issues such as computer viruses.
To promote cybersecurity, the NIST:
- chairs (since as early as 2002) and participates in multiple U.S. technical advisory groups to JTC-1 that have developed or are developing standards related to security evaluation techniques, identity management, identification card and smart card interoperability, cloud computing, biometrics, and cryptography.
- participates in ITU-T study group efforts via the joint standards development project with ISO-IEC JTC-1.
- serves as editor and area director while contributing to IETF standards efforts, including multiple efforts related to Internet Protocol version 6.
- serves as editor and otherwise contributes to IEEE 802. Provides guidance to organizations for implementing wireless networks standards.
- develops standards and guides for securing non-national security federal information systems.
- works with industry and other agencies to define minimum-security requirements for federally-held information and for information systems that are often important in the private sector, both for CIKR and non-critical infrastructure as well.
- identifies methods and metrics for assessing the effectiveness of security requirements;
- evaluates private sector security policies for potential federal agency use; and
- provides general cybersecurity technical support and assistance to the private sector and federal agencies.
To help implement the provisions of FISMA for non-national security systems, NIST has developed a risk management framework for agencies to follow in developing information security programs. The framework is specified in NIST Special Publication 800-37, rev. 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," which provides agencies with guidance for applying the risk management framework to federal information systems.
The framework in Special Publication 800-37 consists of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. It also provides a process that integrates information security and risk management activities into the system development life cycle. Figure 1 provides an illustration of the framework and notes relevant security guidance for each part of the framework.
- NIST RISK MANAGEMENT FRAMEWORK
NIST assists industry in developing technology to improve product quality and to facilitate rapid commercialization of products based on new scientific discoveries. Several NIST programs have been set up to spur innovation and accelerate the adoption of new ideas and technology by U.S. companies. NIST's Advanced Technology Program provides seed money to help U.S. businesses on pre-competitive, generic technologies with high commercial potential, and NIST's research and testing facilities are made available to businesses engaged in cooperative and proprietary work.
Through its regional manufacturing technology centers (MTCs), NIST provides technical and financial support to nonprofit centers that assist small- and medium-sized companies in gaining expertise with new manufacturing technologies. Each center's approach is unique, dictated by its location and the type of manufacturing of its client base.
The NIST hss published a number of publications relevant to IT law and information law, including:
- The seven NIST laboratories are the Materials Measurement Laboratory, Physical Measurement Laboratory, Engineering Laboratory, Information Technology Laboratory, Communications Technology Laboratory, Center for Nanoscale Science and Technology, and Center for Neutron Research.
- While agencies are required to follow NIST guidance in accordance with OMB policy, there is flexibility within NIST’s guidance in how agencies apply the guidance. Unless otherwise specified by OMB, the 800-series guidance documents published by NIST generally allow agencies some latitude in their application. Consequently, the application of NIST guidance by agencies can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB definition of adequate security for federal information systems. When assessing agency compliance with NIST guidance, auditors, evaluators, and/or assessors should consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions.
- The one-year compliance date for revisions to NIST Special Publications applies only to the new and/or updated material in the publications resulting from the periodic revision process. Agencies are expected to be in compliance with previous versions of NIST Special Publications within one year of the publication date of the previous versions.
- NIST Special Publication 800-37, rev. 1, was formerly NIST, Guide for the Certification and Accreditation of Federal Information Systems, SP 800-37. The risk management framework replaces the process known as certification and accreditation described in the previous version of Special Publication 800-37.