​NIST Special Publication 800-53 Revision 5 Security and Privacy Controls For Information Systems and Organizations, establishes controls for systems and organizations. The controls can be implemented within any organization or system that processes, stores, or transmits information. The use of these controls is mandatory for federal information systems in accordance with Office of Management and Budget (OMB) Circular A-130 [OMB A-130] and the provisions of the Federal Information Security Modernization Act11 [FISMA], which requires the implementation of minimum controls to protect federal information and information systems.

NIST Special Publication 800-171 Revision 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides federal agencies with recommended security requirements for protecting the confidentiality of CUI: (1) when the CUI is resident in a non federal system and organization; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry.

To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. With its streamlined requirements, CMMC 2.0:  (a). Simplifies compliance by allowing self-assessment for some requirements. (b). Applies priorities for protecting DoD information. (c). Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.

The NIST  Cybersecurity Framework provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk.

The NIST Cybersecurity Supply Chain Risk Management (C-SCRM) program helps organizations to manage the increasing risk of supply chain compromise related to cybersecurity, whether intentional or unintentional. The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits also increase the risk of a compromise to the supply chain, which may result in risks to the end user. Managing cybersecurity risks in supply chains requires ensuring the integrity, security, quality and resilience of the supply chain and its products and services.