NIST (National Institute of Standards and Technology)

NIST (National Institute of Standards and Technology) — The Government Agency Behind Half the Cybersecurity Rules You've Heard Of

It's a U.S. government agency that writes the cybersecurity playbooks half the country quietly runs on — even the businesses that have never heard of it.

Filed under the NerdSquad IT Dictionary: the series where we decode the alphabet soup of IT. Today's term is a little different — NIST isn't a technology or a tool, it's the agency that defines a huge chunk of the rules everyone else follows. If you've ever bumped into HIPAA, CMMC, PCI, SOC 2, or your cyber insurance application, you've already touched NIST.

What does NIST stand for?

National Institute of Standards and Technology. Part of the U.S. Department of Commerce, around since 1901 — originally created to standardize weights, measurements, and industrial materials. Somewhere along the way "standards" expanded to include cybersecurity, and now NIST publishes the most widely-referenced security guidance in the country.

The simple way to think about it

NIST is the rulebook author for modern cybersecurity. It doesn't enforce anything — that's not its job. Regulators, contracts, and insurance carriers point at NIST documents and say "do what this says." Like a building code authority: NIST writes the code, somebody else enforces it.

The NIST documents you'll run into

A handful matter for almost every business:

  • NIST Cybersecurity Framework (CSF) — the flagship. Organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover. The roadmap for "what good cybersecurity looks like."
  • NIST SP 800-171 — required for any business handling Controlled Unclassified Information (CUI) for the federal government. Feeds into CMMC for DoD contractors.
  • NIST SP 800-53 — the bigger, more detailed security controls catalog used by federal agencies and their cloud providers. FedRAMP is built on it.
  • NIST SP 800-66 — guidance for implementing the HIPAA Security Rule. Most HIPAA risk assessments quietly map to this document.
  • NIST SP 800-63 — digital identity guidelines. The reason your password rules finally stopped requiring 90-day changes for no good reason.

Who actually has to follow NIST?

Directly required: federal agencies and contractors, anyone handling CUI (through 800-171 and CMMC), and cloud providers serving the federal government (FedRAMP).

Indirectly pulled in through other rules:

  • Healthcare practices — HIPAA Security Rule guidance is built on NIST 800-66
  • Financial services firms — SEC, FINRA, and state regulators reference NIST
  • Most cyber insurance applications — questions come straight out of the NIST CSF
  • State data protection laws — many borrow NIST language wholesale

That second bucket is where most businesses live. You may not be required to follow NIST by name, but your auditor, insurance carrier, or largest client almost certainly expects it.

How NIST relates to other compliance frameworks

  • HIPAA — a law. NIST 800-66 is the implementation guide for HIPAA's Security Rule.
  • PCI-DSS — payment card industry standard. Separate from NIST but with significant overlap.
  • SOC 2 — AICPA auditing standard. SOC 2 audits often map back to NIST CSF.
  • CMMC — DoD certification. Built directly on NIST 800-171.
  • ISO 27001 — international standard. Different framework, similar goals, often cross-mapped to NIST.

Most of these are built on top of NIST or designed to interoperate with it.

Why it matters for your business

  • Your cyber insurance carrier reads NIST. Questions about MFA, EDR, incident response, and tested backups come from NIST CSF.
  • Your auditors and clients read NIST. Larger clients send out cybersecurity questionnaires that quietly use NIST language. Saying "we follow NIST CSF" is often the easiest way to satisfy them.
  • Your industry's rules read NIST. HIPAA, CMMC, SEC cybersecurity rules, state laws — they all borrow from NIST. Following it puts you in shape for almost any framework.

In plain English, one more time

  • NIST publishes most of the cybersecurity standards everyone else points at.
  • The Cybersecurity Framework (CSF) is the high-level "what good looks like" roadmap.
  • 800-171 is for federal contractors and CUI. 800-53 is for federal agencies. 800-66 is the HIPAA implementation guide.
  • You probably don't report to NIST — but your auditor, insurer, and biggest clients almost certainly speak its language.

Where we fit in

Most of our clients aren't federal contractors, but almost all of them are touched by NIST somewhere — through HIPAA, cyber insurance, SEC/FINRA expectations, or a big client's vendor questionnaire. We build our Managed IT and Zero Trust Cybersecurity stack against the NIST CSF as a baseline, then layer on the specific frameworks each client needs — HIPAA for medical and dental practices, SEC/FINRA for financial services firms, PCI for anyone running payments. When an auditor or insurance carrier comes asking, the answers are already documented.

Got questions?