If you’re reading this, there’s a chance you’ve already heard of NIST 800. As a set of guidelines that’s been established by the National Institute of Standards and Technology, NIST 800 outlines the best practices for identifying and responding to cyberattacks. It also outlines the way your organization can prevent them.

Although NIST 800’s guidelines are a must for businesses seeking out government contracts, they can prove useful to any organization. When it comes to cybersecurity, you have a lot of options. The ways you can protect your servers, emails, and mobile devices are seemingly endless. You may hear of one organization finding success with a particular method and assume that it’s right for you. But, why would you take chances when you could follow the carefully-researched recommendations outlined by NIST 800?

If NIST 800 is something you’ve yet to seriously consider, it’s worth learning more about how it should influence your cybersecurity framework.

Introducing NIST 800 and its functions

The NIST 800 framework focuses on five key areas. Each one should form a part of your cybersecurity policy.


Before you begin protecting yourself against cybersecurity risks, you need to identify what they are. For example, most businesses are at risk of a ransomware attack. These attacks account for 15% of cyberattacks in the United States. However, your organization may also face risks that are unique to its industry. For example, if you work in medicine, you’re at risk of losing sensitive patient information. 


The detect element involves introducing ways of detecting potential threats and vulnerabilities. For example, you could use continuous monitoring to look for real-time threats. You could also add vulnerability assessments to look for flaws in your system.


Once you know what risks your business faces, you need to protect it against them. This could include measures such as access control, firewalls, antimalware software, and more. You may also want to consider employee education. Around 95% of cybersecurity breaches involve human error. As such, employee education should become a big part of your framework.


Even with the best cybersecurity frameworks available, events will happen. Because of this, you need to know how you’ll respond to various events. The NIST 800 framework recommends creating response strategies for the different risks you face. If you do have to launch a response, assess how it went and identify whether you can do better next time. Having such analytics will make your cybersecurity framework stronger.


Recovery follows your response. Your response will outline how you respond to an event, whereas recovery identifies how you will build your business back up. For example, laptops and PCs have a failure rate of 0.5% to 3%. Not only do you need to know how you’ll respond to such a failure, you need to know how you’ll carry on once it happens. This may involve looking at a number of contingency plans.

Cybersecurity essentials that help you remain NIST compliant

Certain cybersecurity essentials will help you remain NIST compliant. Even if you’re not using the NIST 800 framework to secure a contract, embracing these essentials will go a long way in strengthening your own policies.

Software updates

Did you know that 80% of organizations that experienced a data breach could have prevented it by updating their software? Software updates don’t just exist to make everything run a little smoother. When software developers release new programs, they do so in the knowledge that some vulnerabilities won’t become obvious until later. When those vulnerabilities do become obvious, they release updates that are essential for patching over them.

By failing to update your software, you’re giving cybercriminals an in. They know which types of software require updates, as that information is very public and available to them. If they find that you’re using an older version of your software, they’ll use it as a way to breach your barriers. 

Antivirus and antimalware programs

It should go without saying that antivirus and antimalware programs are essential. However, they’re still worth mentioning, as you need to go beyond the absolute basics. 

There are lots of antivirus programs out there to choose from, but not all antivirus programs are made equal. NIST 800 outlines some of the minimum standards you should aim for. As the framework is necessary for securing defense contracts, it’s safe to assume that their minimum standards are quite high.

Around 350,000 types of malware are identified every day. That means your defenses against it need to be top-notch. With that statistic in mind, it’s no wonder NIST 800 doesn’t leave anything to chance on the malware front. By using it as inspiration for your own defenses, you could significantly reduce the likelihood of an attack affecting you.

Access control policies

Access control policies identify who can have access to various types of information. They also identify how you can access that information. 

When it comes to who can access different types of information, you should only grant access on a need to know basis. If it isn’t necessary for someone to access data for the purpose of their job, they shouldn’t access it at all. Should someone with access move into a different role, you should always review their access to see whether it’s still necessary. Finally, you also need to discuss how you will revoke someone’s access once they’ve left your organization.

As for how you and your employees can access different types of information, pay particularly close attention to mobile devices. Around 87% of businesses depend on Bring Your Own Device (BYOD) policies. If yours is one of them, make sure it’s safe to access various types of data using each device and outline how your employees can do so.

Informative sources

NIST 800 recommends creating manuals and guidelines for your employees. In doing so, you empower them to take responsibility for themselves when it comes to cybersecurity. When they become more responsible, your employees could become one of your biggest assets.

If you think back to the previous statistics about human error’s involvement in cybersecurity events, empowering your employees is incredibly important. Although providing them with manuals won’t prevent all human-error-related events, it does give them a point of reference. In moments of confusion, having a manual to turn to could stop employees from guessing their way through processes, which in turn could prevent mistakes.


NIST 800 also recommends creating a profile for your organization. That profile will outline its unique requirements in terms of cybersecurity. It will also identify the resources available to tackle such risks and their order of priority.

Your profile is designed to identify the biggest risks at your organization and how you’ll tackle them. It stops you from tackling risks blindly, which is important as some require more attention than others. Always remember that your profile can change over time. Factors that could influence it include the new technologies you adopt and how you change your business practices.

Whether NIST 800 is necessary for your cybersecurity strategy or not, you can use it to influence your framework. The level of detail it goes into is designed to protect government-level contracts. Your clients and customers will likely appreciate the same degree of attention to detail, and you could prevent a significant cybersecurity breach.