National Institute of Standards and Technology (NIST)
Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS
CMS Slack Channel- #security_community
What is NIST?
NIST is the National Institute of Standards and Technology within the U.S. Department of Commerce. It is a non-regulatory agency of the United States government tasked with promoting innovation, security, and industrial competitiveness. Security, privacy, and compliance guidance from NIST is provided to both federal agencies and private industry through various policies and frameworks.
NIST frameworks
Frameworks from NIST help federal agencies implement consistent strategies for cybersecurity and risk management. The following frameworks are foundational to the security and privacy policies and requirements used at CMS.
Risk Management Framework (RMF)
The Risk Management Framework (RMF) from NIST provides a structured yet flexible process for managing risk throughout a system’s life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe.
Learn more about the RMF and how it is implemented at CMS.
The RMF lays the foundation for the federal government’s movement away from static, compliance-focused activities and toward a more dynamic approach to risk management. At CMS and many federal agencies, the goal is to effectively manage security risks to information systems in diverse environments of complex cyber threats, evolving system vulnerabilities, and rapidly changing missions.
The RMF supports this goal by helping organizations to:
- Build information security capabilities into federal systems by applying security controls at the operational, technical, and management levels
- Use enhanced monitoring processes to maintain continuous awareness of the security state of information systems
- Provide essential information to senior leaders so they can make informed decisions about mitigating or accepting risk related to information systems in their organizations
Cybersecurity Framework (CSF)
One of the most notable NIST guidelines is the NIST Cybersecurity Framework (CSF). It delivers fundamental protocols for organizations to ensure their systems, applications, and networks remain secure through systematic practices that support proactive risk management. Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made the Framework mandatory for U.S. federal government agencies.
The NIST CSF is considered the gold standard for building cybersecurity programs. It covers 23 categories and 108 security controls, organizing cybersecurity capabilities into 5 core functions (listed below). These functions are woven throughout cybersecurity practices and policies at CMS.
Identify: Assess and uncover cybersecurity risks to systems, assets, data, and capabilities. This includes categories such as asset management, business environment, risk assessment, and supply chain risk management.
Protect: Develop and implement safeguards and controls to ensure delivery of critical infrastructure services. This includes categories such as identity management, authentication and access control, and data security.
Detect: Develop activities and controls to monitor and detect cybersecurity events. This includes categories such as anomalies and events, security continuous monitoring, and detection processes.
Respond: Develop techniques to control and mitigate cybersecurity incidents. This includes response planning, communications, analysis, mitigation, and improvements.
Recover: Develop and implement processes to restore capabilities. This includes response planning, improvements, and communications.
NIST publications
NIST Special Publications in the 800 series (NIST SP 800) represent the best security practices currently available, and are utilized throughout the federal government. The NIST SP 800 serve as the foundation for CMS security policies and procedures – however, it’s important to know that CMS has tailored NIST guidance for application within the agency. While NIST can always be used as a source of general guidance and best practices, you should always reference CMS-specific guidance for the authorization and compliance of CMS systems.
Two of the NIST SP 800 that are most commonly used by cybersecurity professionals at CMS are:
- NIST SP 800-53: Recommended Security Controls for Federal Information Systems
- NIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems
These contain detailed explanations of information security controls and the test cases used to assess them – and they form the basis for the CMS Acceptable Risk Safeguards (ARS).
Additionally, the recent federal mandates for Zero Trust Architecture have prompted NIST to release a publication about it: NIST SP 800-35: Implementing a Zero Trust Architecture.
The whole series of NIST Special Publications (800 and beyond) are available at https://csrc.nist.gov/publications/sp.
Related documents and resources
Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems
Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy
Guidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training
Information about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate
A structured yet flexible process for managing risk throughout a system’s lifecycle, used by CMS in accordance with the RMF from NIST