Blog Viewer

What Is NIST Anyway

By Karen Campbell posted 05-05-2016 12:44


With heightened focus on information security, there is a growing interest among law firms to adopt security standards to help protect their information assets. Many firms have voluntarily opted to align and/or certify their information services with the information security framework of ISO 27001. Driven by client demand, many firms are also exploring the integration of security and privacy controls defined in NIST 800-53, Revision 4 (April, 2013).

NIST 800-53, Revision 4 is a special publication that provides guidelines for selecting and specifying security controls for organizations and information systems that support executive agencies of the Federal government. The publication is authored by the National Institute of Science and Technology (NIST). It defines a conceptual framework for Information Security Risk Management, selection of baseline security controls, and tailoring security controls. Although not defined specifically for law firms, the standards can inform how to structure an information security program.

Much like the risk framework provided by ISO 27001, the Risk Management framework of NIST serves to protect the Confidentiality, Integrity, and Availability (CIA) of information assets. Risk management and treatment concepts (risk reduction, retention, transfer, and avoidance) are used to facilitate risk-based decision-making regarding the applicability of security controls and enhancement of controls in the security control baselines.

The NIST Risk Management Framework follows:

1) Categorization of information systems

Determine the appropriate level of baseline controls (low, moderate, high) against CIA of each information service


Security Categories – based on potential impact





Security Objective




Severe or





Severe or





Severe or


2) Selection of security controls

            There are approximately 263 baseline controls grouped into 18 “families”, outlined in Appendix D

3) Tailoring security controls

Tailoring is part of the organization’s risk management process - framing, assessing, responding to, and monitoring information security risk. The tailoring process is designed to achieve cost-effective, risk-based security that supports organizational mission/business needs. Appendix F – Security Control Catalog, Security Controls, Enhancements, and Supplemental Guidance details an estimated 1491 controls and sub-controls that are used to enhance selected baseline controls based on the criteria bulleted above. Clause 2 of NIST 800-53, revision 4 defines tailoring as:

 “process to modify appropriately and align the controls more closely with the specific conditions within the organization (i.e. conditions related to organizational missions/business functions, information systems, or environments of operation). The tailoring process includes:

  • Identifying and designating common controls in initial security control baselines;

  • Applying scoping considerations to the remaining baseline security controls;

  • Selecting compensating security controls, if needed;

  • Assigning specific values to organization-defined security control parameters via explicit assignment and selection statements;

  • Supplementing baselines with additional security controls and control enhancements, if needed; and

  • Providing additional specification information for control implementation, if needed.” 3


The publication suggests that senior management (e.g. risk executives [function], chief information officers, senior information security officers, information system owners, etc.) approval should be required prior to the implementing security controls.

Effective deployment of the NIST 800-53 framework depends on careful security categorization at the outset of the implementation. Appropriate selection and adequate tailoring of specific controls to the organization’s operating environment critically depends on the baseline established during security categorization.

As noted in the tailoring process of the NIST framework, security programs should be built on a risk-based approach that is cost-effective and support the organization. The security program should offer a balance between appropriate security safeguards that align with security categories and a firm’s availability of resources, including financial resources. As NIST is relatively new to law firms, enough historical information is not yet readily available to speak to definite costs. Costs will vary by firm! However, it may be that firms already aligned to ISO 27001 may realize some cost savings having already developed security processes and implemented some security controls. It is important to note however, NIST puts forth approximately 1,491 security controls, as compared to 114 in ISO 27001 so there is still a fair amount of work to do in the selection and tailoring of security controls for your firm.

In summary, alignment to or certification against security frameworks are predominantly being driven by client demand. Like ISO 27001, NIST also employs a risk-based approach to alignment. However, ISO 27001 presents 114 controls to be considered in the Risk Assessment process, whereas NIST presents approximately 1,491 controls and subcontrols. Unlike ISO 27001, NIST is not a certifiable standard. ISO 27001 is an International standard. NIST was developed by the National Institute of Science and Technology. Both frameworks serve to protect Confidentiality, Integrity, and Availability of Information Services.

Please read the blog post on ISO answering similar questions about the certification. You can find that posting here:




NIST Special Publication 800-53, Revision 4, 2013, April, Retrieved from


Karen Campbell, Head of IT, US, Freshfields Bruckhaus Deringer

Michael Johnson, Security GRC2