866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

An Overview of NIST Special Publications 800-34, 800-61, 800-63, and 800-218 Blog Feature
Todd Connor

By: Todd Connor

Print/Save as PDF

An Overview of NIST Special Publications 800-34, 800-61, 800-63, and 800-218

Federal Assessments | NIST

Known more commonly as NIST, the National Institute of Standards and Technology provides cybersecurity frameworks that not only are integral for many government and Department of Defense contracts but are also widely accepted as a solid launch point for most organizations’ cybersecurity efforts.

Schellman has been operating in the federal compliance space for years as an accredited FedRAMP 3PAO, and now as a CMMC C3PAO. Over that time, we’ve helped many of our clients decipher the many NIST frameworks as they determined the right direction for them and their environment.

Now, we want to provide similar insight to you—in this article, we’ll leverage our experience and provide an overview of four commonly referenced NIST Special Publications:

  • SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems
  • SP 800-61 Rev. 2 Computer Security Incident Handling
  • SP 800-63-3 Digital Identity Guidelines
  • SP 800-218 Secure Software Development Framework

We already explained some of the other, particularly popular NIST Special Publications in NIST 800-37, NIST 800-53, and NIST 800-171. Read on to glean even more clarity regarding some others.

What is NIST SP 800-34 Rev. 1?

What Does It Address? Contingency Planning Guide for Federal Information Systems

Working to identify and mitigate threats, vulnerabilities, and risks to your systems is important, and a big part of those efforts must be building a resilient infrastructure that helps alleviate the impact of any process failures.

That’s where NIST SP 800-34 comes in with its guidelines for such contingency planning, which is defined as preparing plans that document interim measures to recover information system services after a disruption. At a base level, it recommends establishing measures for:

  • The relocation of information systems or operations to an alternate site;
  • Recovery of information system functions using alternate equipment; or
  • The performance of information system functions using manual methods.

NIST SP 800-34 also provides a seven-step process for the development of a viable Information System Contingency Plan (ISCP):

  1. Develop the contingency planning policy statement which formally establishes the organizational authority and guidance necessary to enforce an effective contingency plan.
  2. Conduct the business impact analysis (BIA) to help identify and prioritize information systems and components critical to supporting your mission and business processes.
  3. Identify preventive controls including defining measures that may be taken to mitigate system disruptions or increase system availability.
  4. Create contingency strategies so that systems and processes may be recovered quickly and effectively following a disruption.
  5. Develop an information system contingency plan that contains procedures for restoring a damaged system or circumventing its functional processes.
  6. Ensure plan testing, training, and exercises that both validate your personnel’s preparation for plan activation and identify gaps that may have gone unnoticed.
  7. Continue plan maintenance to accommodate changes to systems and organizational structures to ensure your contingency plans don’t become stale and ineffective over time. 

For organizations interested in bolstering their contingency planning, NIST SP 800-34 also provides details regarding:

  • How ISCPs relate to the NIST Risk Management Framework (RMF), as well as various other security and emergency management-related plans
  • Approaches to incorporating relevant FIPS 199 impact levels and related NIST SP 800-53 contingency planning controls (e.g., CP-2, CP-3, CP-4)
  • Fundamental planning elements for the development of an effective plan, including business impact analysis, alternate site selection, and recovery strategies
  • Distinctions between an ISCP and other related plans for cyber incident response, disaster recovery, business continuity, critical infrastructure protection, occupant emergency, and crisis communication, as well as thoughts on how to coordinate these different plans
  • Contingency plan teams and the roles and responsibilities commonly assigned to personnel during plan activation
  • Activities necessary to document the contingency strategy and develop the ISCP
  • Approaches for maintaining, testing, training, and exercising the contingency plan
  • Contingency planning concerns specific to the three common platform types (client/server, telecommunications, and mainframe systems) to help in the identification, selection, and implementation of the appropriate technical contingency measures for those systems 

What is NIST SP 800-61 Rev. 2?

What Does It Address? Computer Security Incident Handling

Given that cyber incidents can cause significant disruptions in your ability to conduct business and may result in lost income, increased costs, and a blemished reputation, computer security incident response is an extremely important component of your technology strategies.

Its principles are so important that federal agencies and service providers typically are contractually required to adhere to the models described in NIST SP 800-61. With its guidelines and templates, it’s intended to help assure effective incident response for any organization—a complex undertaking that requires substantial planning and resources.

Using NIST SP 800-61, you can establish important foundational elements of an incident response plan within your organization, including:

Incident Response Policy and Plan

These authoritative documents set the tone for your organization, provide a basis for enforcement, and are essential for attesting to incident response capabilities.

Procedures For Performing Incident Handling And Reporting

Cyber incidents may source from different places, including infected external or removable media, network brute force attacks, attacks executed from a website or web-based application, infected email messages or attachments, improper usage by an authorized user, and loss or theft of equipment.

Each of these potential sources as well as any others that you may be subject to should be addressed in documented procedures.

Guidelines For Communicating With Outside Parties Regarding Incidents

When handling an incident, you’ll need to communicate with outside parties, such as other incident response teams, law enforcement, the media, vendors, and partner organizations.

NIST SP 800-61 can help you establish a plan in place so that only appropriate information is shared with the right parties and your interests and relationships are not compromised.

Team Structure

Incident response teams may be centrally organized, distributed, or coordinated across several disparate teams within your organization.

Incident Response Coordination

For success, you must establish relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department, Information Technology, Operations, HR, Media Relations, etc.) and external (e.g., law enforcement agencies, vendors, or partners).

Staffing And Training The Incident Response Team

Depending on your unique incident response needs, these teams may consist of combinations of internal staff, outsourced personnel, or specific services that may be sourced from specialized service organizations.

Other Services/Roles for Incident Response Team

In addition to incident response, you may also want that team to provide other, complementary services such as intrusion detection, education, awareness, advisory management, and post-incident analysis and follow-up.

 

What is NIST SP 800-63-3?

What Does It Address? Digital Identity Guidelines

“Digital identity is considered to be the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known.”

The inherent difficulty of proving one’s identity - particularly over the internet, creates a dearth of opportunities for an impersonator to assume someone’s identity and take advantage of their victims’ resources and trust.

To help secure individual identities, NIST 800-63-3 publication provides an overview of general identity frameworks, using authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels from both a normative and informative perspective.

Moreover, appendant publications 800-63A, B & C are presented alongside SP 800-63-3 which contain further considerations for the following related topics:

  • Enrollment and Identity Proofing: Or, how applicants may prove their identities and become enrolled as valid subscribers within an identity system.
    • Introduces and defines Identity Assurance Levels IAL1, IAL2, and IAL3.
  • Lifecycle Management of Authenticators: Applicable to services where return visits are appropriate, as the guidance helps to establish an assurance that the subscriber accessing the service today is the same as that accessed the service previously.
    • Introduces and defines Authenticator Assurance Levels AAL1, AAL2, and AAL3.
  • Authenticator Federation and Assertions: Covers the conveyance of the results of authentication processes to an agency application, including recommendations for techniques to enhance authentication privacy as well as methods for strong multi-factor authentication.
    • Introduces and defines Federal Assurance Levels FAL1, FAL2, and FAL3.

Each of the publications is extremely detailed and defines required standards and well as recommendations for consideration. The Identity, Authentication, and Federal Assurance Levels (IAL, AAL, and FAL) are leveraged for minimum standards by the FedRAMP program.

 

What is NIST SP 800-218?

What Does It Address? Secure Software Development Framework

Maintaining a mature Software Development Life Cycle (SDLC) within a Secure Software Development Framework (SSDF) is critical for avoiding coding flaws, inappropriate security configuration settings, incorrect trust assumptions, and outdated risk analysis.

NIST SP 800-218 identifies acceptable practices in this area but, like the other publications we’ve highlighted, is not prescriptive in how they should be implemented.

The recommended practices are suitable for organizations of any size, may be integrated into any software development workflows and SDLCs, and can help organizations create bridges from classic workflows towards modern software development models (e.g., Agile or DevOps).

The recommended practices are organized into four groups:

NIST SP 800-218 Recommended Practice Groups

1. Prepare the Organization (PO):

Ensure that your people, processes, and technology are suitably prepared to perform secure software development at the organizational level.

2. Protect the Software (PS):

Protect all components of software from tampering and unauthorized access.

3. Produce Well-Secured Software (PW):

Produce well-secured software with minimal security vulnerabilities in software releases.

4. Respond to Vulnerabilities (RV):

Identify residual vulnerabilities in software releases and respond appropriately to both address them and prevent similar ones from occurring in the future.

 Within each of these groups, NIST SP 800-218 provides explanations and recommendations on how the practice should be structured, as well as examples of how they may be implemented.

Next Steps for Your Cybersecurity and Compliance

In general, NIST provides a wealth of information directed at establishing, enriching, and maintaining secure and sustainable computing environments, including the four publications overviewed here. Though these resources are a requirement for those organizations who engage (or wish to engage) in federal and DoD contracts, they’re available to anyone interested in achieving the same level of capabilities demanded of those working in the Defense Industrial Base.

A catalog of the Special Publications highlighted in this paper, as well as the larger library of all NIST’s computer and information security publications, can be found here.

And if you’re interested in learning more about specific federal compliance initiatives, check out our other content that breaks down your options, including a couple of the more popular programs:

About Todd Connor

Todd Connor is a Senior Associate with Schellman based in Jacksonville, FL. Prior to joining Schellman in 2022, Todd worked as a technology manager for a maritime shipping company responsible for architecting and developing their NIST / CMMC compliance program. Todd has over twenty years of information technology leadership experience across various industries including transportation & logistics, pharmacy benefits management, retail pharmacy and big-box retail, during which time, he has been responsible for responding to NIST 800-171, HIPAA, PCI, ISO and Sarbanes Oxley audits. Todd is now focused primarily on Schellman’s FedRAMP practice, specializing in CMMC compliance for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.