The IT Law Wiki
Register
Advertisement

Overview[]

Nist-logo

Founded in 1901 as the National Bureau of Standards (NBS) and renamed by the Omnibus Trade and Competitiveness Act of 1988, the National Institute of Standards and Technology (NIST) is a non-regulatory, federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

The NIST is directed to offer support to the private sector for the development of precompetitive generic technologies and the diffusion of government-developed innovation to users in all segments of the American economy. Laboratory research is to provide measurement, calibration, and quality assurance techniques that underpin U.S. commerce, technological progress, improved product reliability, manufacturing processes, and public safety.[1]

Responsibilities[]

NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and in managing cost-effective programs to protect their information and information systems.

Standards[]

The responsibilities of the NIST for information technology standards were refined by the National Technology Transfer and Advancement Act of 1995, which established a preference for commercially-developed standards. NIST is also responsible under E.O. 13011 for the "standards responsibilities under the Computer Security Act of 1987." NIST works with national and international standard-setting organizations and adopts voluntary standards for Government specification.

NIST is an ANSI-accredited standards development organization to develop biometric format standards.

Schedule for compliance with NIST standards and guidelines[]

  • For legacy information systems, agencies are expected to be in compliance with NIST security standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST.[3]
  • For information systems under development, agencies are expected to be in compliance with NIST security standards and guidelines immediately upon deployment of the system.

Programs[]

NIST carries out its mission in four cooperative programs:

  • the NIST Laboratories, which conducts research to advance the nation's technology infrastructure and assist U.S. industry to continually improve products and services;
  • the Baldrige National Quality Program, which promotes performance excellence among U.S. manufacturers, service companies, educational institutions, and health care providers; conducts outreach programs and manages the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement;
  • the Hollings Manufacturing Extension Partnership, a nationwide network of local centers offering technical and business assistance to smaller manufacturers; and
  • the Technology Innovation Program, which provides cost-shared awards to industry, universities and consortia for research on potentially revolutionary technologies that address critical national and societal needs.
  • Between 1990 and 2007, NIST also managed the Advanced Technology Program.

Computer security[]

The NIST got involvement in computer and communication security in the late 1970s and early 1980s in what is now known as the National Computer Systems Laboratory (NCSL) (formerly the "Institute for Computer Sciences and Technology").

The NIST's involvement in computer security has most often resulted in the publication of federal standards or guidelines on topics such as password protection, audit, risk analysis, and others that are important to the use of computers but do not necessarily relate to the technical aspects of protection within computer systems. These documents, formally known as Federal Information Processing Standards (FIPS) publications, are widely used within the civilian government as the basis for computer processing and computer system procurement.

NIST has also issued other, tutorial publications to enhance awareness in government, in particular, of issues such as computer viruses.

Cybersecurity[]

General[]

To promote cybersecurity, the NIST:

FISMA[]

To help implement the provisions of FISMA for non-national security systems, NIST has developed a risk management framework for agencies to follow in developing information security programs. The framework is specified in NIST Special Publication 800-37, rev. 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," which provides agencies with guidance for applying the risk management framework to federal information systems.[4]

The framework in Special Publication 800-37 consists of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. It also provides a process that integrates information security and risk management activities into the system development life cycle. Figure 1 provides an illustration of the framework and notes relevant security guidance for each part of the framework.

NIST RISK MANAGEMENT FRAMEWORK

NIST Risk Management Framework

Technology transfer[]

NIST assists industry in developing technology to improve product quality and to facilitate rapid commercialization of products based on new scientific discoveries. Several NIST programs have been set up to spur innovation and accelerate the adoption of new ideas and technology by U.S. companies. NIST's Advanced Technology Program provides seed money to help U.S. businesses on pre-competitive, generic technologies with high commercial potential, and NIST's research and testing facilities are made available to businesses engaged in cooperative and proprietary work.

Through its regional manufacturing technology centers (MTCs), NIST provides technical and financial support to nonprofit centers that assist small- and medium-sized companies in gaining expertise with new manufacturing technologies. Each center's approach is unique, dictated by its location and the type of manufacturing of its client base.

Publications[]

The NIST hss published a number of publications relevant to IT law and information law, including:

See also:

References[]

  1. The seven NIST laboratories are the Materials Measurement Laboratory, Physical Measurement Laboratory, Engineering Laboratory, Information Technology Laboratory, Communications Technology Laboratory, Center for Nanoscale Science and Technology, and Center for Neutron Research.
  2. While agencies are required to follow NIST guidance in accordance with OMB policy, there is flexibility within NIST’s guidance in how agencies apply the guidance. Unless otherwise specified by OMB, the 800-series guidance documents published by NIST generally allow agencies some latitude in their application. Consequently, the application of NIST guidance by agencies can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB definition of adequate security for federal information systems. When assessing agency compliance with NIST guidance, auditors, evaluators, and/or assessors should consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions.
  3. The one-year compliance date for revisions to NIST Special Publications applies only to the new and/or updated material in the publications resulting from the periodic revision process. Agencies are expected to be in compliance with previous versions of NIST Special Publications within one year of the publication date of the previous versions.
  4. NIST Special Publication 800-37, rev. 1, was formerly NIST, Guide for the Certification and Accreditation of Federal Information Systems, SP 800-37. The risk management framework replaces the process known as certification and accreditation described in the previous version of Special Publication 800-37.

Sources[]

Advertisement