This section is the collection of key NIST publications, resources related to control systems, and tools that can used in the Test and Development and Production Environments for Continuous Monitoring and Auditing.

Product Date Posted

NIST SP 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework 2017

The NICE Framework, NIST Special Publication 800-18, is a national focused resource that categorizes and describes cybersecurity work. The NICE Framework establishes a taxonomy and common lexicon that describes cybersecurity work and workers irrespective of where or for whom the work is performed. The NICE Framework is intended to be applied in the public, private, and academic sectors.

The Executive Order (EO) on America’s Cybersecurity Workforce encourages widespread adoption of the NICE Framework, and highlights its voluntary integration into existing education, training, and workforce development efforts undertaken by State, territorial, local, tribal, academic, non‑profit, and private-sector entities. The EO also directs that the NICE Framework be used as a reference for related federal government efforts, including as a basis for developing skill requirements for the federal cybersecurity rotational assignment program and the federal cybersecurity competition proposed by the Executive Order.

July 2019

NIST SP 800-171B 2019 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets

When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). The APT is extremely dangerous to the national and economic security interests of the United States since we are totally dependent on computing systems of all types—including traditional Information Technology (IT) systems, Operational Technology (OT) systems, Internet of Things (IoT) systems, and Industrial IoT (IIoT) systems. The recent and rapid convergence of these types of systems has brought forth a new class of systems known as cyber-physical systems, many of which are in the critical infrastructure sectors including the energy, transportation, defense, manufacturing, and information and communications. 
The enhanced security requirements provide the foundation for a new multidimensional, defense-in-depth protection strategy that includes three, mutually supportive and reinforcing components: (1) penetration resistant architecture; (2) damage limiting operations; and (3) designing for cyber resiliency and survivability. This strategy recognizes that despite the best protection measures implemented by organizations, the APT may find ways to breach those primary boundary defenses and deploy malicious code within a defender’s system. When this situation occurs, organizations must have access to additional safeguards and countermeasures to confuse, deceive, mislead, and impede the adversary—that is, taking away the adversary’s tactical advantage and protecting and preserving the organization’s critical programs and high value assets.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT.  The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

July 2019

NISTR 7628 Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security

The Guidelines document describes an approach for assessing cyber security issues and selecting and modifying cyber security requirements to address these issues. While integrating information technologies is essential to building the Smart Grid and realizing its benefits, the same networked technologies add complexity and also introduce new interdependencies and vulnerabilities. Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the Smart Grid.

June 2010

NIST SP 1800-7 Situational Awareness For Electric Utilities

To improve the security of information and operational technology, including industrial control systems, energy companies need mechanisms to capture, transmit, analyze and store real-time or near-real-time data from these networks and systems. With such mechanisms in place, energy providers can more readily detect and remediate anomalous conditions, investigate the chain of events that led to the anomalies, and share findings with other energy companies. Obtaining real-time and near-real-time data from networks also has the benefit of helping to demonstrate compliance with information security standards.

June 2017

NIST SP 1108 NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0

The expedited development of an interoperability framework and a roadmap for underpinning standards, such as those outlined in this document, is a fundamental aspect of the overall transformation to a Smart Grid infrastructure. Although electric utilities are ultimately responsible for the safe and reliable operation of the grid, many other participants will be involved in the evolution of the existing electric power infrastructure. Technical contributions from numerous stakeholder communities will be required to realize an interoperable, secure Smart Grid.

June 2010

NIST SP 1108 Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0

Describes a high-level conceptual reference model for the Smart Grid, identifies 75 existing standards that are applicable (or likely to be applicable) to the ongoing development of the Smart Grid, specifies 15 high-priority gaps and harmonization issues (in addition to cyber security) for which new or revised standards and requirements are needed, documents action plans with aggressive timelines by which designated standards-setting organizations (SSOs) will address these gaps, and describes the strategy to establish requirements and standards to help ensure Smart Grid cyber security.

June 2009

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

June 2018

NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

Assists organizations in the development of an ISCM strategy and the implementation of an ISCM program, which provide awareness of threats and vulnerabilities, visibility into organizational assets, and the effectiveness of deployed security controls.

June 2018

NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems

Provides guidance for organizations responsible for managing and administrating the security of federal systems and associated environments of operation.

June 2018

NIST SP 800-92: Guide to Computer Security Log Management

This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. The guidance in this publication covers several topics, including establishing log management infrastructures, and developing and performing robust log management processes throughout an organization. The publication presents log management technologies from a high-level viewpoint, and it is not a step-by-step guide to implementing or using log management technologies.

June 2006

NIST SP 800-82 R2 Guide to Industrial Control Systems Security

Establishes Supplemental Guidance for control systems based on the NIST SP 800-53 R4 Family of Security Controls.

May 2015

NIST SP 800-60 Vol 2 Guide for Mapping Types of Information and Information Systems to Security Categories

Assists agencies in consistently mapping security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) systems (e.g., mission critical, mission support, administrative).

June 2008

NIST SP 800-53A R4 Security and Privacy Controls for Federal Information Systems and Organizations

This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 4. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results.

May 2013

NIST SP 800-53 R4 Security and Privacy Controls for Federal Information Systems and Organizations

Provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components of an information system that process, store, or transmit federal information.

May 2013

NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems

Provides guidelines for the security certification and accreditation of information systems supporting the executive agencies of the federal government. Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs.

June 2004

NIST SP 800-26: Security Self-Assessment Guide for Information Technology Systems

A self-assessment conducted on a system (major application or general support system) or multiple self-assessments conducted for a group of interconnected systems (internal or external to the agency) is one method used to measure information technology (IT) security assurance.

June 2001

NIST SP 800-12 REV. 1 An Introduction To Information Security

This publication is a good resource for anyone seeking a better understanding of information security basics or a high-level view on the topic. The tips and techniques described in this publication may be applied to any type of information or system in any type of organization. While there may be differences in the way federal organizations, academia, and the private sector process, store, and disseminate information within their respective systems, the basic principles of information security are applicable to all.

June 2017

NIST Sample Generic Policy and High Level Procedures for Audit Trails

XX Agency Automated Information Systems Security Program (AISSP) Handbook requires a means to reconstruct and/or review user activities related to operations, procedures, or events occurring on the FRCS Project Title. To accomplish this, a record of activity or “audit trail” of system and application processes and user activity of systems and applications must be maintained. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications.

June 2018

Federal Information Processing Standards Publication 200 Minimum Security Requirements for Federal Information and Information Systems

Specifies minimum security requirements for information and systems that support the executive agencies of the Federal Government as well as a risk-based process.

June 2006

Federal Information Processing Standards Publication 199 Standards for Security Categorization of Federal Information and Information Systems

This publication establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.

June 2004