# NIST Standards

The U.S. National Institute of Standards and Technology establishes standards for a wide range of things. Some of the standards most important to network security are discussed in this section.

## **NIST SP 800-14**

Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, describes common security principles that should be addressed within security policies. The purpose of this document is to describe 8 principles and 14 practices that can be used to develop security policies. This standard is based on 8 principles, which are:

1\. Computer security supports the mission of the organisation.

2\. Computer security is an integral element of sound management.

3\. Computer security should be cost-effective.

4\. System owners have security responsibilities outside their own organisations.

5\. Computer security responsibilities and accountability should be made explicit.

6\. Computer security requires a comprehensive and integrated approach.

7\. Computer security should be periodically reassessed.

8\. Computer is security is constrained by societal factors.

## **NIST SP 800-35**

NIST SP 800-35, Guide to Information Technology Security Services, is an overview of information security. In this standard six phases of the IT security life cycle are defined:

* **Phase 1: Initiation.** At this point the organisation is looking into implementing some IT security service, device, or process.
* **Phase 2: Assessment.** This phase involves determining and describing the organisation’s current security posture. It is recommended that this phase use quantifiable metrics.
* **Phase 3: Solution.** This is where various solutions are evaluated and one or more are selected.
* **Phase 4: Implementation.** In this phase the IT security service, device, or process is implemented.
* **Phase 5: Operations.** Phase 5 is the ongoing operation and maintenance of the security service, device, or process that was implemented in phase 4.
* **Phase 6: Closeout.** At some point, whatever was implemented in phase 4 will be concluded. Often this is when a system is replaced by a newer and better system.

## **NIST SP 800-30 Rev. 1**

NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, is a standard for conducting risk assessments. Risk assessments were discussed in a previous chapter. This standard provides guidance to how to conduct such an assessment. There are nine steps in the process:

**STEP 1.** System Characterization

**STEP 2.** Threat Identification

**STEP 3.** Vulnerability Identification

**STEP 4.** Control Analysis

**STEP 5.** Likelihood Determination

**STEP 6.** Impact Analysis

**STEP 7.** Risk Determination

**STEP 8.** Control Recommendations

**STEP 9.** Results documentation<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.zacheller.dev/network-security/courses/isci-cnss-course/security-standards/nist-standards.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.