The US Department of Defense (DoD) data and cyber security standards have been dropped, and DoD security standards now all reference the NIST 800 security framework.

Whether this article will act as a refresher course or as new information, what we’d like to do is provide a quick overview of the NIST 800 Series, with a specific focus on NIST 800-88.

What is the NIST 800 Series?

The National Institute of Standards and Technology (NIST) is a part of the Department of Commerce that created the NIST 800 Series, a set of publications describing federal government computer security policies, procedures, and guidelines. Developed through extensive research, the intent of these documents is to provide businesses, educational institutions, and government agencies with best practices for workable and cost-effective procedures that optimize the security of IT systems and networks in a proactive manner.

How is the NIST 800 Series utilized?

The NIST 800 Series is used by CISOs and security experts as a governance and security framework. The publications included in the NIST 800 Series cover two primary areas: 1) NIST-recommended procedures for assessing and documenting threats and vulnerabilities within IT systems/networks, and 2) ways in which to implement security measures that will minimize the risk of adverse events. These documents serve as useful guidelines for the development and enforcement of security rules. Risk management is an integral part of using the NIST 800 framework to build your corporate security rules and procedures.

Vendor neutral IT Security certification programs from organizations such as Information Systems Audit and Control Association (ISACA) are based on NIST 800. These programs certify that an individual has demonstrated knowledge and competence – they do not certify a company or their actual processes.

Note that there is no “certification” of a vendor or process. NIST 800 is a reference, and your policy can require that your internal processes and vendors meet those standards.

What is NIST 800-88?

NIST 800-88 refers to a publication within the NIST 800 Series that deals with data destruction, or what the document refers to as media sanitization. More specifically, it provides the guidelines utilized by Lifespan in all hard drive wiping operations. The process contained within this publication refers not only to the destruction of data within the logical storage location of a file, but to the entire media that contains it. The goal of the overwriting process described within NIST 800-88 is to replace sensitive data with nonsensitive random data.

As an IT manager, you need to know what the current standards and best practices are, and you need to ensure that you and your vendors follow them.

Learn more about the DoD and NIST standards in our technical brief.

Or contact us today to learn more about how we can help your business protect its assets.