NIST security compliance involves adhering to a set of NIST standards developed by the Computer Security Division of the National Institute of Standards and Technology (NIST). The Federal Information Processing Standards (FIPS) publication series is the official set of published documents related to standards and guidelines adopted and promulgated under the provisions of Federal Information Security Management Act (FISMA) of 2002. These standards are sometimes the golden rules companies must follow and comply with if they want to attract new contracts or retain existing ones, particularly with certain government entities. Below you will find majority of the areas required for NIST security compliance.
Applicability – The scope of the information security policies as they pertain to the NIST security compliance requirements as well as their applicability must be well defined.
Identification & Authentication – The Personal Identity Verification (PIV) process must include a standard process for issuing and assigning IDs to all users for identification purposes. Users must be systemically forced to change initial assigned passwords and periodically thereafter to ensure uniqueness and confidentiality of passwords. Password configuration is established to ensure a) strength by requiring alpha, numeric, special characters, lower and upper case letter combinations as well as b) privacy through masking.
Authorization & Monitoring – User access to all systems must be authorized and monitored for proper segregation of duties and minimum access ensuring integrity and confidentiality of data.
Enterprise Telecommunication – The network system security must be maintained through monitoring and protection with firewalls, anti-virus, anti-malware and anti-spyware software, formal patch management process, server configuration management, Intrusion Protection Systems (IPS) and periodic penetration tests.
Remote Access – Access to company information systems from the outside of the company must be secured and authorized. Removable Storage Devices & Media Protection– The use of USB and other storage devices must be secured through hardware or software.
Email Communications – Emails containing confidential information must be encrypted in accordance with acceptable encryption mechanisms.
Laptops and other Portable Devices – NIST standards require mobile devices such as laptops be encrypted.
Phone Security – The company voice system must be configured to force employees use a unique password for accessing voicemails.
Wireless Network – Wireless communication must be protected via encryption and security of wireless access points. Standard identification and authentication mechanism must also apply to wireless network and communications.
Change Management – According to NIST 800, program and infrastructure change management procedures must be documented to ensure changes are approved, tested, reviewed and implemented in accordance with the change plan and segregated responsibilities.
Awareness & Training - Companies must provide initial and periodic information protection awareness and training to all workers regarding company policies and best practices.
Audit, Accountability, Certification & Security Assessments - In addition to internal audits, independent audits of general computer controls including information security controls relevant to company services and products may be required under certain contracts.
Configuration Management - Formal configuration policies and procedures must exist for servers, laptops, wireless network, VPN, email system, information security systems, and network devices.
Contingency Planning (Availability) - Formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) must be documented and tested.
Incident Response - An incident response plan must be documented to respond and resolve information security incidents.
Maintenance - System security vulnerability assessments must be performed on a continuous basis to detect new threats and control gaps. Information security program, policies and procedures must be reviewed and updated periodically. Information protection needs related to training and tools must also be assessed on a periodic basis.
Physical, Personnel & Environmental Protection - NIST security compliance requires facility access authorized and monitoring. Visitor access must be documented and monitored at all times.
Environmental and personnel protection controls must be in place and include fire detectors, fire extinguishers, water and gas leak detectors as well as well documented personnel evacuation plans in case of major incidents.