Standards

Federal Information Processing Standard Publication (FIPS PUB) 199: Standards of Security Categorization of Federal Information and Information Systems

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2004-02-01
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Assessment & Analysis (A&A), Information Protection Processes and Procedures, Risk Management

"Federal Information Processing Standard Publication (FIPS) 199, Standards of Security Categorization of Federal Information and Information Systems" provides a standard for categorizing federal information and Information Systems (IS) according to an agency's level of concern for Confidentiality, Integrity, and Availability (CIA) and the potential impact on agency assets and operations should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction.

Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2018-04-16
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Assessment & Analysis (A&A), Cybersecurity Monitoring, Identity Access Management (IAM), Incident Recovery, Incident Response, Information Protection Processes and Procedures, Risk Management

"Framework for Improving Critical Infrastructure Cybersecurity Version 1.1" focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes. The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. Elements of the Core provide detailed guidance for developing individual organizational Profiles. Through use of Profiles, the Framework will help an organization to align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help in prioritizing and achieving cybersecurity objectives.

Special Publication (SP) 500-291: NIST Cloud Computing Standards Roadmap

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2011-08-10
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Technology

"National Institute of Standards and Technology - Special Publication (NIST-SP) 500-291 NIST Cloud Computing Standards Roadmap" identifies existing standards landscape for security, portability, and interoperability standards/models/studies/use cases, etc., relevant to cloud computing.

Special Publication (SP) 500-292: NIST Cloud Computing Reference Architecture, Recommendations of the National Institute of Standards and Technology

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2011-09-08
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Technology
• Sub-Information: Architecture

"National Institute of Standards and Technology - Special Publication (NIST-SP) 500-292: NIST Cloud Computing Reference Architecture" presents the NIST Cloud Computing Reference Architecture (RA) and Taxonomy (Tax) that will accurately communicate the components and offerings of cloud computing.

Special Publication (SP) 500-307: Cloud Computing Service Metrics Description

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2018-04-24
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Technology
• Sub-Information: Measurements & Testing

"National Institute of Standards and Technology - Special Publication (NIST-SP) 500-307: Cloud Computing Service Metrics Description" proposes concepts and a model to represent cloud service metrics. This model represents the information needed to understand a targeted cloud property and which constraints should be applied during measurement.

With cloud computing in the mainstream, there is a preponderance of cloud based services in the market and the choices for consumers increase daily. However, comparing the service offerings between cloud service providers is not a straightforward exercise. As part of the decision-making framework for moving to the cloud, having data on measurable capabilities, for example - quality of service, availability and reliability, give the cloud service customer the tools and opportunity to make informed choices and to gain an understanding of the service being delivered. A metric provides knowledge about characteristics of a cloud property through both its definition (e.g. expression, unit, rules) and the values resulting from the measurement of the property.

Special Publication (SP) 500-322: Evaluation of Cloud Computing Services Based on NIST SP 800-145

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2018-02-23
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Technology
• Sub-Information: Measurements & Testing

"National Institute of Standards and Technology - Special Publication (NIST-SP) 500-322: Evaluation of Cloud Computing Services Based on NIST SP 800-145" provides clarification for qualifying a given computing capability as a cloud service by determining if it aligns with the NIST definition of cloud computing; and for categorizing a cloud service according to the most appropriate service model Software as a Service (SaaS), Platform as a Service, (PaaS), and Infrastructure as a Service (IaaS).

Special Publication (SP) 800-037 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2018-12-20
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Assessment & Analysis (A&A), Risk Management

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-037 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy" describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to Information Systems (IS) and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.

Special Publication (SP) 800-053 Rev. 5: Security and Privacy Controls for Information Systems and Organizations

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2020-12-10
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Assessment & Analysis (A&A), Risk Management

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-053 Rev. 5: Security and Privacy Controls for Information Systems and Organizations" provides a catalog of security and privacy controls for Information Systems (IS) and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.

Special Publication (SP) 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2011-09-30
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Assessment & Analysis (A&A), Cybersecurity Monitoring

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations" provides guidelines to assist organizations in the development of a continuous monitoring strategy and the implementation of a continuous monitoring program providing visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls. It provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate.

Special Publication (SP) 800-145: The NIST Definition of Cloud Computing

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2011-09-28
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Technology

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-145: The NIST Definition of Cloud Computing" defines cloud computing per five essential characteristics (i.e., on-demand, broad network access, resources pooling, rapid elasticity, measure service), three service models (e.g., Software as a Service, Platform as a Service, Infrastructure as a Service), and four deployment models (i.e., private cloud, community cloud, public cloud, hybrid cloud).

Special Publication (SP) 800-181 Rev. 1: Workforce Framework for Cybersecurity (NICE Framework)

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2020-11-16
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Workforce
• Sub-Information: Development, Identification, Knowledge Skills and Abilities (KSAs), Management, Qualifications, Recruitment, Retention, Training

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-181 Rev. 1: Workforce Framework for Cybersecurity (NICE Framework)" describes a framework and fundamental reference for describing and sharing information about cybersecurity work. It expresses that work as Task statements and describes Knowledge and Skill (TKS) statements that provide a foundation for learners including students, job seekers, and employees. The use of these statements helps students to develop skills, job seekers to demonstrate competencies, and employees to accomplish tasks. As a common, consistent lexicon that categorizes and describes cybersecurity work, the NICE Framework improves communication about how to identify, recruit, develop, and retain cybersecurity talent. The NICE Framework is a reference source from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of cybersecurity education, training, and workforce development.

Special Publication (SP) 800-190: Application Container Security Guide

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2017-09-25
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Assessment & Analysis (A&A), Risk Management

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-190: Application Container Security Guide" provides an explanation of security concerns associated with application container technologies and makes practical recommendations for addressing those concerns when planning for, implementing, and maintaining containers. Some aspects of containers may vary among technologies, but the recommendations in this document are intended to apply to most or all application container technologies. All forms of virtualization other than application containers, such as virtual machines, are outside the scope of this document.

Special Publication (SP) 800-204: Security Strategies for Microservices-based Application Systems

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2019-08-07
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Authentication and Authorization, Cybersecurity Monitoring, Risk Management

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-204: Security Strategies for Microservices-based Application Systems" provides an analysis of the implementation options for core features, configuration options for architectural frameworks, and countermeasures for microservice-specific threats and outline security strategies.

Microservices architecture is increasingly being used to develop application systems since its smaller codebase facilitates faster code development, testing, and deployment as well as optimization of the platform based on the type of microservice, support for independent development teams, and the ability to scale each component independently. Microservices generally communicate with each other using Application Programming Interfaces (APIs), which requires several core features to support complex interactions between a substantial number of components. These core features include authentication and access management, service discovery, secure communication protocols, security monitoring, availability/resiliency improvement techniques (e.g., circuit breakers), load balancing and throttling, integrity assurance techniques during induction of new services, and handling of session persistence. Additionally, the core features could be bundled or packaged into architectural frameworks such as API gateways and service mesh.

Special Publication (SP) 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2020-05-27
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security, Technology
• Sub-Information: Architecture

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture" provides deployment guidance for proxy-based Service Mesh components that collectively form a robust security infrastructure for supporting microservices-based applications. Specifically an architecture for Service Mesh - Architecture 3 (SM-AR3) where the Service Mesh functions are implemented in proxies with each proxy deployed in front of a microservice instance and collectively providing infrastructure services for the microservices-based application. These proxies are called “side-car proxies” and can be implemented and operated independently of the application code. Side-car proxies enable heterogeneous platforms (different languages and application development
frameworks) to be controlled consistently by adopting the lowest common denominator API—the network.

Special Publication (SP) 800-207: Zero Trust Architecture

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2020-08-11
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security, Technology
• Sub-Information: Architecture, Zero Trust Architecture (ZTA)

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-207: Zero Trust Architecture" describes zero trust for enterprise security architects. It is meant to aid understanding of zero trust for civilian unclassified systems and provide a road map to migrate and deploy zero trust security concepts to an enterprise environment. Agency cybersecurity managers, network administrators, and managers may also gain insight into zero trust and Zero Trust Architecture (ZTA) from this document. It is not intended to be a single deployment plan for ZTA as an enterprise will have unique business use cases and data assets that require safeguards. Starting with a solid understanding of the organization’s business and data will result in a strong approach to zero trust.

Special Publication (SP) 800-209: Security Guidelines for Storage Infrastructure

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2020-10-26
• Status: Final
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Assessment & Analysis (A&A), Authentication and Authorization, Encryption, Identity Access Management (IAM), Incident Recovery, Incident Response, Information Protection Processes and Procedures, Risk Management

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-209: Security Guidelines for Storage Infrastructure" provides a comprehensive set of security recommendations for the current landscape of the storage infrastructure. The security focus areas span those that are common to the entire IT infrastructure, such as physical security, authentication and authorization, change management, configuration control, incident response, and recovery. Within these areas, security controls that are specific to storage technologies, such as network-attached storage (NAS) and storage area networks (SAN), are also covered. In addition, security recommendations specific to storage technologies are provided for the following areas of operation in the storage infrastructure: data protection, isolation, restoration assurance, and encryption.

Special Publication (SP) 800-210: General Access Control Guidance for Cloud Systems

• Authorship: National Institute of Standards and Technology (NIST)
• Publication Date: 2020-07-31
• Status: Active
• Resource Type: Standards
• Sub-Resource Type: Government
• Information: Security
• Sub-Information: Authentication and Authorization, Identity Access Management (IAM)

"National Institute of Standards and Technology - Special Publication (NIST-SP) 800-210: General Access Control Guidance for Cloud Systems" presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). Different service delivery models require managing different types of access on offered service components. Such service models can be considered hierarchical, thus the access control guidance of functional components in a lower-level service model are also applicable to the same functional components in a higher-level service model. In general, access control guidance for IaaS is also applicable to PaaS and SaaS, and access control guidance for IaaS and PaaS is also applicable to SaaS. However, each service model has its own focus with regard to access control requirements for its service.