If you are preparing for the CISSP exam, then you have certainly encountered some of NIST standards. They are referenced in almost all eight domains. If you are having a bad time remembering each standard reference, then don’t worry, it is completely normal. They can easily get confusing, especially with the cross-references and the overlapping scope between them.
With this article, I tried to sum up the NIST standards that should be considered in your preparation for the exam. This will give you a general overview and a high-level understanding that will help you make sense whenever you encounter a NIST reference.
What is NIST?
Before we start listing the standards, let’s first explain what NIST is, and what does it do exactly.
The National Institute of Standards and Technologies (NIST) is a US federal agency of the Department of Commerce. It’s main mission is to:
Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.www.nist.gov
Although compliance with NIST standards is not required outside US federal agencies, these standards have nevertheless become a security reference and a guidance that is followed by many organizations in the private sector.
One last important thing before we start: Even if the exam does not require you to go deep into the details of each standard, it won’t hurt you to check the documents just to have an understanding of their scope and outline. In fact, one good thing about NIST is that all their standards are available in their website for free, so it wouldn’t be unwise to take advantage of that. This will most certainly help you in the exam, since many security concepts in CISSP are inspired from NIST.
NIST standards in the CISSP
NIST SP 800 Series
- NIST SP 800-12: An Introduction to Information Security.
- NIST SP 800-30: Guide for conducting risk assessments of federal information systems and organizations.
- NIST SP 800-34: Contingency Planning Guide for Federal Information Systems.
- NIST SP 800-37: Risk Management Framework for Information Systems and Organizations.
- NIST SP 800-53: Security and Privacy Controls for Federal Information Systems.
- NIST SP 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations.
- NIST SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories.
- NIST SP 800-63-3: Digital Identity Guidelines.
- NIST SP 800-88: Guidelines for Media Sanitization.
- NIST SP 800-126: The Technical Specification for the Security Content Automation Protocol (SCAP).
- NIST SP 800-154: Guide to Data-centric System Threat Modeling.
- NIST SP 800-160: Systems Security Engineering.
- FIPS 140-3: Security Requirements for Cryptographic Modules.
- FIPS 199: Standards for Security Categorization of Federal Information and Information Systems.
- FIPS 200: Minimun Security Requirements for Federal Information and Information Systems.
NIST provides lots of standards that relate to cybersecurity. I only included here the ones that I think are the most relevant to the CISSP. However, if there are other standards that you think I should include, please let me know in the comments below.