Quiz Entry - updated: 2026.07.14
What are the main NIST cybersecurity publications referenced as standards?
SP 800-30 (Risk Management), SP 800-53 (Security & Privacy Controls), and the NIST Cybersecurity Framework (NIST CSF) — produced by the US National Institute of Standards and Technology.
| Publication | Purpose |
|---|---|
| SP 800-30 | Risk Management Guide — how to assess and treat IT risk |
| SP 800-53 | Massive control catalogue (~1000 controls) used by US federal agencies |
| NIST CSF | The high-level framework: Identify / Protect / Detect / Respond / Recover / Govern |
| CIS Controls (related) | Pragmatic top-X control list, widely used as a 27002 alternative |
All NIST publications are free, which is why they dominate where ISO would otherwise win — NIST CSF in particular has become the de-facto framework for non-regulated US private sector and many international organisations (including being the basis for Switzerland's IKT-Minimalstandard).
Tip: When a US auditor says "controls," they probably mean SP 800-53. When a US executive says "framework," they probably mean NIST CSF. Different abstraction levels, both NIST.
Go deeper:
NIST Cybersecurity Framework 2.0 (CSWP 29) — the primary source for the Identify/Protect/Detect/Respond/Recover/Govern functions.
NIST SP 800-53 Rev 5 — Security and Privacy Controls — the ~1000-control catalogue used by US federal agencies.
NIST SP 800-30 Rev 1 — Guide for Conducting Risk Assessments — NIST's risk-assessment methodology.